[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý <ondrej@sury.org> wrote:
> On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <pabs@debian.org> wrote:
> So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
> unless there's a cryptographical need (there isn't at the moment).

Actually, it might be less controversial to drop SHA1[0] as the MD5 has
fieldnames (as Guillem already mentioned) which are probably assumed
to be present. I have not check(-ETIME) that for APT now, but somehow
I would be surprised if it wouldn't dislike (some) missing MD5 sections
even if it isn't using the sections for providing MD5, but because they have
a wonderfully stable name like "Files".

Its not like we are anywhere near to a "cryptographical need" to drop MD5
(as you have to do (at least) two pre-image attacks in a row with the same
 file (aka compressed and uncompressed) – and as a bonus, the filesize has
 to match as well – not to mention that the file has to make sense…) and
at the time we do SHA1 is probably not an interesting candidate.

Best regards

David Kalnischkies

[0] expect in pdiffs as that is the only supported in there so far

Reply to: