Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý <email@example.com> wrote:
> On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <firstname.lastname@example.org> wrote:
> So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
> unless there's a cryptographical need (there isn't at the moment).
Actually, it might be less controversial to drop SHA1 as the MD5 has
fieldnames (as Guillem already mentioned) which are probably assumed
to be present. I have not check(-ETIME) that for APT now, but somehow
I would be surprised if it wouldn't dislike (some) missing MD5 sections
even if it isn't using the sections for providing MD5, but because they have
a wonderfully stable name like "Files".
Its not like we are anywhere near to a "cryptographical need" to drop MD5
(as you have to do (at least) two pre-image attacks in a row with the same
file (aka compressed and uncompressed) – and as a bonus, the filesize has
to match as well – not to mention that the file has to make sense…) and
at the time we do SHA1 is probably not an interesting candidate.
 expect in pdiffs as that is the only supported in there so far