-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2007-04-08 at 23:43 -0700, David Brodbeck wrote:
Ryouga Hibiki wrote:
PS: Unless you know that there's a way to change a package without modifying the integrity of these (MD5SUM), is that possible?
I *think* it's been shown that it's possible to create two different files that have the same MD5 checksum.
Curious! I was thinking of that the other day while falling sleep. It is obviously possible: if it weren't, then we could use the checksum instead of the original file as a brutally effective compression technique. There will be then several (many?) files of the same size having the same checksum.
Exploiting this would require creating a *meaningful* file with the same checksum as the original, though, which is much more difficult.
Not knowing the in depth mathematical analysis of checksums, my educated guess is that a checksum protects against the chance corruption of a file in transmission, affecting one or many, but not all, of its bytes. It will not protect against the deliberate attempt to generate a file of the same size and checksum; but generating one such file that is a valid file of the same format I imagine could be an herculean task. In the case of the SuSE iso images, the task would be terrible difficult: each rpm inside the iso has also checksums, plus a pgp signature. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGGf5dtTMYHG2NR9URAuysAKCMl9zILcGYrrmrS3HDS/OoM8FAaQCeOOD+ yBdiXBGKKBLNLZq2j+gqGso= =lSj3 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org