[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

md5sums files



Hello world,

wouter@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l
2340
wouter@celtic:/var/lib/dpkg/info$ ls *sums|wc -l
2340
wouter@celtic:/var/lib/dpkg/info$ dpkg -l|sed -e'1,/=====/d'|wc -l
2483

I must say I was somewhat surprised by these numbers. Out of 2483
packages installed on my laptop, 2340 install md5sums. While that
might've been useful at some point, I don't think it still is.

In this day and age of completely and utterly broken MD5[0], I think we
should stop providing these files, and maybe provide something else
instead.  Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
md5sums.

Or is it useful to be able to say "if it doesn't check out, it's
certainly corrupt, and if it does check out, it may be corrupt"? Didn't
think so.

Thoughts?

[0] No reference. It's all over the internet. If you didn't know about
MD5 being broken yet, where have you been sleeping these past few years?

-- 
The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.
  http://www.schneier.com/blog/archives/2009/01/biometrics.html

Attachment: signature.asc
Description: Digital signature


Reply to: