A risk with using MD5 for software package fingerprinting
Ben Laurie
ben at algroup.co.uk
Mon Jan 28 07:36:25 EST 2002
David Honig wrote:
>
> At 12:07 PM 1/27/02 -0500, Arnold G. Reinhold wrote:
> > if
> >an attacker had an agent working inside the organization that
> >produced the package, the agent could simply insert the Trojan
> >software patch in the original package. However such an insertion is
> >very risky. A sophisticated software company would likely have code
> >reviews that would make introduction of the Trojan code difficult.
>
> Um, right. A good company would have *design* reviews, but would it really
> spend time having skilled engineers review *all* the actual codelines
One of the duties of a person with commit access to an Apache Software
Foundation project is, indeed, to review _all_ commits to that package.
Admittedly any particular individual will sometimes only glance at the
commit, but bugs are picked up at this stage with such regularity that I
am confident that the vast majority of commits are, in fact, reviewed.
I believe this practice is pretty common in free software.
Oh, I should note that commits are emailed to all committers, so it does
not require the committers to actively seek out commits to review.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list