Re: Time to replace MD5?
Mike Hommey wrote:
On Wed, Jun 13, 2007 at 10:37:26AM -0300, Henrique de Moraes Holschuh <firstname.lastname@example.org> wrote:
On Wed, 13 Jun 2007, Florian Weimer wrote:
On Tue, 12 Jun 2007, Touko Korpela wrote:
Debian Security Advisories currently contain MD5 checksums. As MD5 is no
longer strong enough, maybe it should be replaced by SHA1 or SHA256?
When combined with size information
Size information doesn't buy you that much.
When we are talking about a binary blob that matches the *same* md5sum? Yes,
it does. Causing a MD5 colision with a message of the same size is far more
Especially when it has to be a valid .deb file (which means an ar archive of
2 correctly gzipped tar files)
But did somebody check if dpkg handle correctly (error) if there
are extra data after a gz or at the end of a dpkg?