Re: leaks in our only-signed-software fortress
Am 18.02.2012 19:03, schrieb brian m. carlson:
On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:
Please use something stronger than SHA-1. SHA-1 has some weaknesses
What about a debhelper script that receives an URL (or set of mirror
URLs) and a SHA1 and does the download and check?
something like SHA-256 or SHA-512 should be used in new applications.
SHA1 has some weaknesses but I guess it's not yet (!!!) something were
we have to make big concerns in real world threads... but:
I guess the main point with respect to things like these is the
Maintainers (or people in general) SHOULD get a sense of security and
the obvious question here is: Why use something weaker, when something
better is broadly available and technically feasible (I mean e.g. sums
on source code make no performance problem,... when someone does
streaming of large data, there can be benefit from using something
weaker but faster (e.g. MD5 or) in contrast to stronger but slower