Re: Let's shrink Packages.xz

[Peter Palfrader <weasel@debian.org>]

On Mon, 14 Jul 2014, Russ Allbery wrote:

> ابراهیم محمدی <mebrahim@gmail.com> writes:
> 
> > Isn't a single (rather small) hash value enough for almost all users?
> 
> Using multiple hashes gives us some theoretical robustness against a break
> in one of the hash functions provided that all clients check all the
> hashes and the hashes would fail independently (which is likely).

I would like to see some supporting evidence for the claim that they
will likely fail independently.  In particular given that they are all
the same construct.

>                                                                    The
> basic idea is that it's much harder to come up with a simultaneoush hash
> collision with both SHA-1 and SHA-2 than breaking either of them
> independently.

ISTR reading papers that put this "much harder" into doubt.  But I can't
find those references, alas.

I think just having a single, strong hash in Packages ought to be
sufficient.

Cheers,
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/