Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
On Fri, Oct 12, 2012 at 4:45 PM, Christoph Anton Mitterer wrote:
> On Fri, 2012-10-12 at 16:37 -0400, Michael Gilbert wrote:
>> Which is impossible, or at least man-powerwise insurmountable. There
>> are something like 500 million lines of code in a Debian release.
> I wasn't talking about such an impossible task,... but there speaks
> nothing against relatively easy things,... like securing all of our
> package repository infrastructure by strong algos (as we already did)...
> and trying to prevent higher level attacks, like downgrade attacks.
Do you have evidence of any of those things? If so, please submit
bugs, and we will look at fixing them. Otherwise, speculation gets us
nowhere and actually wastes time.