[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:
> What about a debhelper script that receives an URL (or set of mirror
> URLs) and a SHA1 and does the download and check?

Please use something stronger than SHA-1.  SHA-1 has some weaknesses and
something like SHA-256 or SHA-512 should be used in new applications.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: