[coreboot] It appears the build process still uses unverified http wget sources
nico.h at gmx.de
Tue Nov 15 22:58:26 CET 2016
On 14.11.2016 00:29, Taiidan at gmx.com wrote:
> True, but quality security is about planning for the theoretical and not
So what's your theory?
> just closing the barn door after the animals have left already.
You are implying that SHA-1 will be broken earlier than SHA-2, because
Seriously, if you want to prepare for the theoretical, take SHA-1,
SHA-2, SHA-3 and some alternatives (RIPEMD and Skein come to mind) and
verify the hashes in parallel. They are all different algorithms and
you can't predict which of them will be broken first.
> I am sure there are quite a lot of things that the public doesn't know
> about, kept secret by the shady people and organizations of the world
So your conclusion? Promote SHA-2? Please read the very first sentence
of the SHA-2 Wikipedia article  and we can talk about shady people.
> On 11/13/2016 06:26 PM, Nico Huber wrote:
>> On 14.11.2016 00:06, Taiidan at gmx.com wrote:
>>> Shouldn't we be using sha256 or sha512? I am not a crypto expert but
>>> AFIAK couldn't sha1 collisions could be easily generated with the type
>>> of resources available to someone who would want to attack coreboot?
>> AFAIK, there is no known attack on SHA-1 yet that could break security
>> in this scenario (the attacker wouldn't only have to find any collision
>> but a collision for a given hash which takes a power of 2 in time).
>> Anyway, there is a patch on review, that makes use of SHA-384 and should
>> make the checksum generation trustworthy:
>>> On 11/06/2016 07:15 PM, Iru Cai wrote:
>>>> buildgcc can verify the SHA1 sum of the tarballs, and the checksum is
>>>> cloned from the git repository via HTTPS or SSH, so I think we don't
>>>> to worry.
>> Alas, the current checksum is only verified for already downloaded
More information about the coreboot