Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

To: Wouter Verhelst <wouter@debian.org>
Cc: Ben Hutchings <ben@decadent.org.uk>, debian developers <debian-devel@lists.debian.org>
Subject: Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
From: Ondřej Surý <ondrej@sury.org>
Date: Fri, 9 Aug 2013 08:36:18 +0200
Message-id: <[🔎] CALjhHG-p=dv-CDpjfHKmkPBjFuMFfbL-uMSov5jNfgGREEo2Kw@mail.gmail.com>
In-reply-to: <[🔎] 5203FDCF.6000404@debian.org>
References: <[🔎] CAKTje6GFBVBjmCECH_j3gwPBOkoBju261V2CrgzZ5dag+9e61w@mail.gmail.com> <[🔎] 20130802132914.GA7754@gaara.hadrons.org> <[🔎] 1375525839.15681.63.camel@dagon.hellion.org.uk> <[🔎] CAKTje6EOEEL3KOajiUeUOGCL+bq0gOYcp7uRM8OPt=szjqKbPA@mail.gmail.com> <[🔎] CALjhHG80Qf5GqKJDOwNWp_+giFFxULoL=Re49PqPm5TycLP0_A@mail.gmail.com> <[🔎] 51FE6907.7020905@debian.org> <[🔎] 1375661777.10147.15.camel@deadeye.wl.decadent.org.uk> <[🔎] 5203FDCF.6000404@debian.org>

On Thu, Aug 8, 2013 at 10:21 PM, Wouter Verhelst <wouter@debian.org> wrote:

On 05-08-13 02:16, Ben Hutchings wrote:
> On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
>> On 03-08-13 13:45, Ondřej Surý wrote:
>>> I think it's useless to upgrade to SHA512 (or SHA-3),
>>
>> It's never useless to upgrade to a stronger hash.
>>
>> The cost might outweight the benefit, yes. But that's a different matter.
>
> What makes you think these are stronger?

Simple mathematics.

To me, a "strong hash" is a hash for which collisions are unlikely.

A SHA512 hash is longer than a SHA1 hash. Therefore it has more bits.
Therefore it has more possible values, which decreases the likelihood
that two collections of bits will produce the same hash value by accident.

This is a very dangerous fallacy. More bits != stronger. It's the algorithm

properties that makes the hash stronger, not the number of the bits in the

resulting hash.

O.

--

Ondřej Surý <ondrej@sury.org>

Have you tried Knot DNS – https://www.knot-dns.cz/

– a high-performance authoritative-only DNS server

Reply to:

References:
- new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Paul Wise <pabs@debian.org>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Guillem Jover <guillem@debian.org>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Ian Campbell <ijc@hellion.org.uk>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Paul Wise <pabs@debian.org>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Ondřej Surý <ondrej@sury.org>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Wouter Verhelst <wouter@debian.org>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Work-needing packages report for Aug 9, 2013
Next by Date: Re: best policies for third party Debian packaging and get-orig-source target
Previous by thread: Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
Next by thread: Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
Index(es):
- Date
- Thread