Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

To: debian-devel@lists.debian.org
Subject: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Thu, 11 Oct 2012 01:19:58 +0200
Message-id: <[🔎] 1349911198.3341.117.camel@fermat.scientia.net>

Hi folks.

AFAICS, secure APT and similar things (e.g. dpkg's file hash sums) still
use even MD5.


Wouldn't it make sense to start discussions about moving to the
"strongest" possible?
Or, like in the case of package files (dsc and friends) make a policy of
verifying all hashes, and fail if any single doesn't match?


I mean SHA-1 is far from being broken, but recently there was an
estimation on when one will see first collisions (the archive on the
NIST list requires registration, but Schneier has re-posted it on his
blog[0]).

So I guess one shouldn't delay that forever...


Cheers,
Chris.


[0] http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

Follow-Ups:
- Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
  - From: Peter Samuelson <peter@p12n.org>
- Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: Hijacking^W^W^W^W^W^WSalvaging packages for fun and profit: A proposal
Next by Date: (seemingly) declinging bug report numbers
Previous by thread: Re: Bug#690183: ITP: apt-fast -- shellscript wrapper for apt-get or aptitude
Next by thread: Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
Index(es):
- Date
- Thread