| Walt Mankowski via plug on 25 Sep 2022 17:49:10 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] free courses, systemd Win, hashquines |
On Sun, Sep 25, 2022 at 08:22:47PM -0400, Rich Freeman via plug wrote: > On Sun, Sep 25, 2022 at 8:11 PM Walt Mankowski via plug > <plug@lists.phillylinux.org> wrote: > > > > On Sun, Sep 25, 2022 at 06:08:11PM -0400, JP Vossen via plug wrote: > > > On 9/25/22 16:53, Walt Mankowski via plug wrote: > > > > > It was already installed for me on Debian-10, which is near EoL. But holy cow the hashes are long! I use `md5sum` to compare files a lot [1], in part because the hashes are short and don't make my eyes & brain bleed. > > > > > > > > That was my reaction too. You can make them shorter with the -l > > > > parameter, but who knows what that does to the robustness of the > > > > algorithm? > > > > > > Probably still better than MD5? :-) But...I can remember `md5sum`, not sure how long I'm going to remember `b2sum -l 48`. > > > > Same. For the files I'm running this on, there's basically no risk > > they might have been hacked. > > > > I'd think that if you just truncated the hash to the same length as an > md5 hash then it should be no worse than md5 in terms of security. > I'd think it would keep any algorithmic strengths of the better > algorithm, but of course you'd be less resistant to brute force > attacks. The problem with truncating the hash is that it's in the middle of each line that's printed. Maybe there's some simple way of doing that in the shell, but if so I can't think of one. I ended up piping it through perl -aE '$F[0] = substr($F[0], 0, 32); say "@F"' which feels ridiculous. Maybe using `b2sum -l 128` is fine, but plain old md5sum is also perfectly safe for the cases JP and I are using it for. > I realize you aren't really concerned with deliberate attacks, but it > never hurts to use the more secure algorithm. > > So, on the topic of insecure hash algorithms, can anybody spot the > glaring problem with this: > $ git cat-file commit ec9a21e4f51de087744f2f5eb95a82cda673b07e > tree 0b6fab6bb7b543878e599ec60699fb005b434bbc > parent b95029fad9f1a593342cb2f52322a182c29259de > author Repository mirror & CI <repomirrorci@gentoo.org> 1664081214 +0000 > committer Repository mirror & CI <repomirrorci@gentoo.org> 1664081214 +0000 > gpgsig -----BEGIN PGP SIGNATURE----- > > iQEzBAABCAAdFiEE90jps8R+OTzCTI+vfCrAnNmPLt8FAmMv3T4ACgkQfCrAnNmP > Lt99Xwf8DFCj4LNb5m2fJ9Didx7Yw3rYQxb655O7+/+OcdInU3rbqCywtZPv8Ij+ > 8r57/l3ehnFct2Wut2jKokNXzvd+mDPbPVc4sZ6Y5cLxtvycIAD48jHcXSJoc7gk > WYuoBP3o1Rdkfj1dM8wZ+jzvEbt8FKMXoXdvXurjoifL7QvlZUjaeOeHmecWswyD > jP8bW409LeK0wxUf10XcyP7+ehMeCD0j8eGF/+NC3hx7QBY+VZO+CZ1V5YXQfF4k > wU6e9vZEJSd47zeKiCn1SSJ4KAzcDvUmV1mqlZBxosZC/BKreJEgk8F0qOLxBlzg > Zxnpw1CK7pYG64Easd0x63zIAIMeNg== > =/8YU > -----END PGP SIGNATURE----- > > 2022-09-25 04:46:54 UTC I can't. Walt ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug