From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 125279 invoked by alias); 17 Aug 2017 02:23:20 -0000 Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org Received: (qmail 123911 invoked by uid 89); 17 Aug 2017 02:23:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=researchers, downloading, r0b0t1, ftp.gnu.org X-Spam-User: qpsmtpd, 2 recipients X-HELO: mail-yw0-f175.google.com Received: from mail-yw0-f175.google.com (HELO mail-yw0-f175.google.com) (209.85.161.175) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 17 Aug 2017 02:23:16 +0000 Received: by mail-yw0-f175.google.com with SMTP id n83so5580612ywn.2; Wed, 16 Aug 2017 19:23:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=o8tK7+80JVnK+ZMDaE3ylGRqzR5AfEzCfVYXVfIKJ4g=; b=fwOTyyaP71st+kurcdWv2pAukprEA04tUoR0iHKfforrZAFgGEwNYhYePEtiDp3nLL JCpvAnQC+bQKICjrkDK9QPpTqdkjNqarKygw/Bx4ucq0FE2fI7M1hmZocO5jixX4MS/q A+ozBSti6CjwzN7yMhhw1B1bimElRR6YYUUltnpf4ezAdOAQFnKLL6eNP2pOvamyD0so Fv+YsoddrRoqh6M7zungzw++hYSGu63BJyb5AtgpCGf6njqTf9wpMCdP54MJgbk9XSvO 296JGnFWLZ16JIFoDjd76nMXVkga/lvNXTaan4I3GcY/F0isf1BzFtGZFoi46OREKdN5 fkzw== X-Gm-Message-State: AHYfb5jKLFFtbGI80t8ifBUeGEnEcOjokgGAWJOzr4/NwjZY6yrAYyXc N0Z51PZkTKe0w7Gv3mHkXBxKnswDOxmb X-Received: by 10.13.243.67 with SMTP id c64mr2932572ywf.220.1502936594361; Wed, 16 Aug 2017 19:23:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.211.10 with HTTP; Wed, 16 Aug 2017 19:23:13 -0700 (PDT) From: R0b0t1 Date: Thu, 17 Aug 2017 02:23:00 -0000 Message-ID: Subject: Release Signing Keys are Susceptible to Attack To: binutils@sourceware.org, GCC Development , gdb@sourceware.org Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2017-08/txt/msg00035.txt.bz2 After downloading and verifying the releases on ftp://ftp.gnu.org/gnu/, I found that the maintainers used 1024 bit DSA keys with SHA1 content digests. 1024 bit keys are considered to be susceptible to realistic attacks, and SHA1 has been considered broken for some time. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf, p17 https://shattered.io/ SHA1 is weak enough that a team of researchers was able to mount a realistic attack at no great cost. As compilers and their utilities are a high value target I would appreciate it if the maintainers move to more secure verification schemes. Respectfully, R0b0t1.