Might want to update /releases/ to be less proud of MD5

To: debian-www@lists.debian.org
Subject: Might want to update /releases/ to be less proud of MD5
From: Ben Harris <bjh21@cam.ac.uk>
Date: Fri, 24 Apr 2015 19:54:04 +0100 (BST)
Message-id: <[🔎] alpine.DEB.2.10.1504241949060.8352@puff.ds.cam.ac.uk>

I was just looking at <http://www.debian.org/releases/> and noticed thistext:

"Data integrity is granted by a digitally signed Release file. To ensurethat all files in the release belong to it, MD5 checksums of all Packagesfiles are copied into the Release file.

I think it might be worth updating this to say "SHA-256" in place of"MD5", since MD5 is looking a little weak these days. Alternatively,since the precise algorithm is not really relevant (and not mentioned forthe signature), maybe replacing "MD5 checksums" with "cryptographichashes" would be better and more future-proof.


--
Ben Harris, University of Cambridge Information Services.  Tel: (01223) 334728

Reply to:

Follow-Ups:
- Re: Might want to update /releases/ to be less proud of MD5
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Who's using Debian entry: Switch [Fwd: dnorwood@portalus.com]
Next by Date: Re: Might want to update /releases/ to be less proud of MD5
Previous by thread: Re: Who's using Debian entry: Switch [Fwd: dnorwood@portalus.com]
Next by thread: Re: Might want to update /releases/ to be less proud of MD5
Index(es):
- Date
- Thread