[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

On Fri, 2012-10-12 at 09:17 +0200, Bernhard R. Link wrote:
> There is a disadvantage of having longer hashsums, thus making it harder
> for people to compare. The only reason that for those md5 is optimal and
> not crc32 is that there is only one md5 and there is a nice always
> available tool to compute it, so people can compare it more easy.

Do you think it often happens that people compare this manually? I
doubt... even for MD5,... cause whenever it goes above a few files, it
gets a pain with MD5, too.

And the tools for the newer alogs (well at least SHA2) are also quite
widespread now.

> Everything doing something like that can also create those sha2 sums on
> their own and use them. Using the debsums system (which has no security
> part at all) will only weaken security.
Well one argument would be, that these hashes are already created and
"automatically" maintained...

> So I think what you say is an
> argument for keeping md5sum, so that noone think they can use that
> information for security.
Wheter that works?! ;-)

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: