[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 19:03, schrieb brian m. carlson:
On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:
What about a debhelper script that receives an URL (or set of mirror
URLs) and a SHA1 and does the download and check?
Please use something stronger than SHA-1. SHA-1 has some weaknesses and
something like SHA-256 or SHA-512 should be used in new applications.

SHA1 has some weaknesses but I guess it's not yet (!!!) something were we have to make big concerns in real world threads... but:

I guess the main point with respect to things like these is the following:

Maintainers (or people in general) SHOULD get a sense of security and the obvious question here is: Why use something weaker, when something better is broadly available and technically feasible (I mean e.g. sums on source code make no performance problem,... when someone does streaming of large data, there can be benefit from using something weaker but faster (e.g. MD5 or) in contrast to stronger but slower (SHA512).


Reply to: