[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sums files

On 2010-03-03, Wouter Verhelst <wouter@debian.org> wrote:
> wouter@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l
> 2340

> In this day and age of completely and utterly broken MD5[0], I think we
> should stop providing these files, and maybe provide something else
> instead.  Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> md5sums.
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.


Even crc32 or md4 would be good enough for this. Probably even counting
'1 bits' in the files would be sufficient.

The md5 sums isn't to be used in case of a break in, as you can't trust
anything on the system anyways, but more things like:
 - did I make; sudo make install something on top of packages
 - did I just quickly hack a p{erl,ython}-script on the system to do
   something different and forgot
 - after a large fsck, which system files is actually fixed
 - ...

And none of this creates md5 collisions.

So md5 is a good choice for this.


Reply to: