ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Publishing metalinks on the download page
Date Fri, 04 Sep 2009 04:25:23 GMT
On 2009-09-03, Bram Neijt <bneijt@gmail.com> wrote:

> On Thu, 2009-09-03 at 16:54 +0200, Stefan Bodewig wrote:

>> Do I tust the download client? ;-;
> I trust my download client, just as much as I trust my md5sums
> binary ;).

Agreed.

>> If my understanding is correct it would also allow me to create a trojan
>> distribution of some software if I manage to create MD5 checksums that
>> match the original distribution

> You are correct, a well funded bad-guy would be able to do so creating a
> hash collision on MD5 or any other kind of verification method you can
> muster. A really well-funded bad-guy would be better off becoming a
> dictator, and taking control of most of the countries DNS servers.

Maybe.  But the amount of funds required is very different.  If MD5 was
the only checksum I'm pretty sure my notebook would be able to create a
zip or tar with matching checksums in a few hours.

> That said, you could host your own metalink with only one or two
> mirrors, anybody using aria2c for example, would no-longer require to
> hand-check the digest after download.

The way we create the download page could probably be used to create a
metalink XML file as well (i.e. an XML file that contained exactly the
same mirrors that are shown on the download page).

I don't have a strong opinion on whether we want to do that.  Others?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message