[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide

On 2015-08-07 15:54:26 +0200, Antonio Diaz Diaz wrote:
> I have no experience at all rigging tarballs, but it took me just
> minutes to obtain two xz compressed tarballs with very different
> contents that match in size and sum(1). I did it just with an
> editor, ddrescue and data from /dev/urandom, by brute force, without
> any knowledge about the algorithm of sum. And I did it not once, but
> twice.

sum(1) just gives a 16-bit checksum! So, it suffices to generate
N*65536 random compressed tarballs to get around N collisions with
a given file. Then the only problem is to get the right size, but
if one has random input, it is (almost) not compressible, so that
one will get "almost" the same size for each tarball. By controlling
how compression is done to reach the right size, this should even be
easier.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: