A risk with using MD5 for software package fingerprinting

[Ben Laurie]

David Honig wrote:
> 
> At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote:
> > if
> >an attacker had an agent working inside the organization that
> >produced the package, the agent could simply insert the Trojan
> >software patch in the original package. However such an insertion is
> >very risky. A sophisticated software company would likely have code
> >reviews that would make introduction of the Trojan code difficult.
> 
> Um, right.  A good company would have *design* reviews, but would it really
> spend time having skilled engineers review *all* the actual codelines

One of the duties of a person with commit access to an Apache Software
Foundation project is, indeed, to review _all_ commits to that package.

Admittedly any particular individual will sometimes only glance at the
commit, but bugs are picked up at this stage with such regularity that I
am confident that the vast majority of commits are, in fact, reviewed.

I believe this practice is pretty common in free software.

Oh, I should note that commits are emailed to all committers, so it does
not require the committers to actively seek out commits to review.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com