Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

[Ian Campbell <ijc@hellion.org.uk>]

On Fri, 2013-08-02 at 15:29 +0200, Guillem Jover wrote:
> > I was wondering if it is time to drop or deprecate MD5 from the apt
> > metadata and replace it with SHA512 and or SHA-3. Thoughts?
> 
> Adding stronger hashes support seems in general like a good idea, but
> I've never quite understood the urge to remove weaker ones in case
> these get accumulated instead of replaced, as more hashes should also
> in general imply a harder time coming up with data that will produce
> all the same hashes.

You don't need to match all of them though, just the strongest hash that
your target is actually checking.

So if we drop md5 we will flush out all those utilities which rely only
on md5 which will, eventually, lead to an increase in the strongest hash
which targets are checking and prevent attackers from only supplying
md5.

> In any case, removing md5 support seems like a bad idea to me right
> now, as older software might not have been adapted to check the other
> hashes, or would imply breaking the current .dsc and ,changes formats,
> as the Files field uses md5.

Right, but perhaps dropping md5 should become a longer term goal?

Did debian-devel have not this same conversation not so long ago? I'm
getting that deja vu feeling...

Ian.