Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
On Tue, Jul 17, 2012 at 12:43 PM, Robert Schiele <rschiele@xxxxxxxxx> wrote:
While this is basically true MD5 is used in OBS all over the place and
thus for consistency and code reuse reasons it might still make sense
to go with that. It should also be noted that the intent of the MD5
sum in Marcus' proposal is not to add a layer of security for
malicious attacks (that you better prevent by verifying RPM signatures
and SSL certificates for the connection (when using https)) but to use
it as a simple checksum mechanism to detect technical transmission

Anyway... isn't the bulk of the complexity of checking signatures the
computation of the hash value? (reading the whole package and
computing the hash implies processing massive amounts of data).

I don't see why verifying the package's signature would be so much worse.
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >