Re: md5sums files

To: debian-devel@lists.debian.org
Subject: Re: md5sums files
From: Sune Vuorela <nospam@vuorela.dk>
Date: Wed, 3 Mar 2010 06:30:34 +0000 (UTC)
Message-id: <[🔎] slrnhos0g9.nfa.nospam@sshway.ssh.pusling.com>
References: <[🔎] 20100303020620.GA17083@celtic.nixsys.be>

On 2010-03-03, Wouter Verhelst <wouter@debian.org> wrote:
> wouter@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l
> 2340

> In this day and age of completely and utterly broken MD5[0], I think we
> should stop providing these files, and maybe provide something else
> instead.  Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> md5sums.
>
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.

Hi

Even crc32 or md4 would be good enough for this. Probably even counting
'1 bits' in the files would be sufficient.

The md5 sums isn't to be used in case of a break in, as you can't trust
anything on the system anyways, but more things like:
 - did I make; sudo make install something on top of packages
 - did I just quickly hack a p{erl,ython}-script on the system to do
   something different and forgot
 - after a large fsck, which system files is actually fixed
 - ...

And none of this creates md5 collisions.

So md5 is a good choice for this.

/Sune

Reply to:

Follow-Ups:
- Re: md5sums files
  - From: Mike Hommey <mh@glandium.org>

References:
- md5sums files
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: md5sums files
Next by Date: Re: Bug#555743: dpkg-gencontrol: add support for Description:-s in the Source package stanza
Previous by thread: Re: md5sums files
Next by thread: Re: md5sums files
Index(es):
- Date
- Thread