[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upgrade the embedded checksum from MD5 to SHA256?



Steve McIntyre <steve@einval.com> (2024-12-16):
> That's fine IMHO: at this point, the checksum is for verifying media
> corruption rather than tampering. md5 is fine for that. We tell people
> how to verify an image download using stronger checksum, as that's the
> place that's likely to be attacked.

Yes, that's the same kind of benefit we get from having md5sums shipped
in deb files?

> I don't think this matters, tbh. Any other opinions?

The status quo looks fine to me, switching does not seem crazy either
(modulo making sure data shipped vs. code using it get with a suitable
timing and/or with some fallback code, I didn't look into the details).


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature


Reply to: