Re: md5sums files
Wouter Verhelst <wouter@debian.org> writes:
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.
I don't understand why you say this. Cryptographic attacks on MD5 aren't
going to happen as a result of random file corruption. The MD5 checksums
are still very effective at finding file corruption or modification from
what's in the Debian package unless that modification was done by a
sophisticated attacker (MD5 preimage attacks are still not exactly easy).
Detecting compromises is useful, but only a small part of what the MD5
checksums are useful for. I'd more frequently use them to detect
well-intentioned but misguided meddling by a local sysadmin.
I certainly don't object to replacing them with SHA1 hashes, although
signed deb packages would still be my preferred solution to this problem.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: