On Thu 2019-10-24 11:16:10 +0100, Steve McIntyre wrote:
> The vast majority of the usage of MD5 here is for (essentially)
> content-addressable storage. Given the context (with a checksum over
> the whole image too), this is not such a critical failing.
Is the final checksum over the whole image also MD5, or do we use
something stronger?
Is there a reason that a maintained version shouldn't use SHA256
instead?
From the debian ecosystem perspective, it would be better to publish
only a single set of "content-addressable" digests (hence this bug
report), so whatever that mechanism is might as well also be
cryptographically strong.
--dkg
Attachment:
signature.asc
Description: PGP signature