On Thu, 26 Aug 2004, Peter Jeremy wrote: > On Wed, 2004-Aug-25 13:16:40 -0700, Brooks Davis wrote: > >On Wed, Aug 25, 2004 at 09:51:50PM +0200, [email protected] wrote: > >> I _believe_ answer is "no", because i _think_ the FreeBSD ports system also > >> verify the size of the archive(s) (cat /usr/ports/any/any/distinfo to see > >> what made me think that). > > I don't believe the size adds much security. it makes it harder for the person, it limits them in what they can do, it also picks up files whos download was interupted... > >Paranoia might suggest adding support for multiple hashes which would > >vastly increase the difficulty of finding a collision > > I'd agree with this. Identifying suitable hashes is a more difficult task. sha-1? rmd160? > >Hmm, one thing to think about might be making sure the various archive > >formats are hard to pad with junk. I think the stream based ones need > >to allow zero pading at the end to support tapes, but it would be > >intresting to see if other junk can end up in pading sections without > >the archiver noticing. If so, that would be a good thing to find a way > >to detect. > > tar uses one (or two) blocks of NULs to mark logical EOF - anything > beyond that is ignored. gzip ignores (but warns) about padding after > its expected EOF. I'm not sure about bzip2. I suspect it would be > possibly to include arbitrary padding inside a ZIP file, though > probably not at the end. This would make it relatively easy to pad a > trojan'd file to any desired size. here is where the size thing comes in... if they have to add padding then it makes it harder (because of warnings, etc) _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"