Well the proof of concept without actually having two colliding files is really simple, so I thought it was generally understood.
Here's the easiest to explain way: Upload the malicious version of the file to github. Send an innocuous patch to the kernel devs that creates a file with the same hash. It gets accepted, and anyone that downloads the kernel from github gets the malicious version. Done. That's a small fraction of linux downloaders, but this is just the proof of concept.
Here's the easiest to explain way: Upload the malicious version of the file to github. Send an innocuous patch to the kernel devs that creates a file with the same hash. It gets accepted, and anyone that downloads the kernel from github gets the malicious version. Done. That's a small fraction of linux downloaders, but this is just the proof of concept.