On 18-Aug-2004 Mike Tancsa wrote: > As I have no crypto background to evaluate some of the (potentially wild > and erroneous) claims being made in the popular press* (eg > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing > that comes to mind is the safety of ports. If someone can pad an archive > to come up with the same MD5 hash, this would challenge the security of > the FreeBSD ports system no ? I _believe_ answer is "no", because i _think_ the FreeBSD ports system also verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see what made me think that). Padding would modify archive size. Finding a backdoored version that both satisfy producing the same hash and being the same size is probably not impossible, but how many years would it take ? Now, i may be wrong. Any enlightement welcome. -- Guy _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"