Am 18.02.2012 19:03, schrieb brian m. carlson:
On Sat, Feb 18, 2012 at 11:48:27AM +0100, Thomas Koch wrote:Please use something stronger than SHA-1. SHA-1 has some weaknesses andWhat about a debhelper script that receives an URL (or set of mirror URLs) and a SHA1 and does the download and check?something like SHA-256 or SHA-512 should be used in new applications.
+1SHA1 has some weaknesses but I guess it's not yet (!!!) something were we have to make big concerns in real world threads... but:
I guess the main point with respect to things like these is the following:
Maintainers (or people in general) SHOULD get a sense of security and the obvious question here is: Why use something weaker, when something better is broadly available and technically feasible (I mean e.g. sums on source code make no performance problem,... when someone does streaming of large data, there can be benefit from using something weaker but faster (e.g. MD5 or) in contrast to stronger but slower (SHA512).
Chris.