Hi folks. AFAICS, secure APT and similar things (e.g. dpkg's file hash sums) still use even MD5. Wouldn't it make sense to start discussions about moving to the "strongest" possible? Or, like in the case of package files (dsc and friends) make a policy of verifying all hashes, and fail if any single doesn't match? I mean SHA-1 is far from being broken, but recently there was an estimation on when one will see first collisions (the archive on the NIST list requires registration, but Schneier has re-posted it on his blog[0]). So I guess one shouldn't delay that forever... Cheers, Chris. [0] http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
Attachment:
smime.p7s
Description: S/MIME cryptographic signature