Might want to update /releases/ to be less proud of MD5
I was just looking at <http://www.debian.org/releases/> and noticed this
text:
"Data integrity is granted by a digitally signed Release file. To ensure
that all files in the release belong to it, MD5 checksums of all Packages
files are copied into the Release file.
I think it might be worth updating this to say "SHA-256" in place of
"MD5", since MD5 is looking a little weak these days. Alternatively,
since the precise algorithm is not really relevant (and not mentioned for
the signature), maybe replacing "MD5 checksums" with "cryptographic
hashes" would be better and more future-proof.
--
Ben Harris, University of Cambridge Information Services. Tel: (01223) 334728
Reply to: