On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote: > On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote: > > Ok, I've been trying this, but how can we tell if the sequence is sha256 > > or md5 if we're *just* given the sequence (i.e. applydeltarpm -c -s > > audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where it's > > a sha256 sequence)? > > Ok, I've got it. We just check against md5 first, then sha256 if md5 > doesn't match. It's not elegant, but it should work fine, especially > since we're only checking for verification, *not* security. > > Jonathan Sorry for jumping in that late, but assuming a malicious deltarpm that could fake a matching md5 sum to pass validation, wouldn't it get applied and make that a security issue? -- Axel.Thimm at ATrpms.net
Attachment:
pgpopEf8r2J8A.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
