Re: Let's shrink Packages.xz
On Mon, 14 Jul 2014, Russ Allbery wrote:
> ابراهیم محمدی <mebrahim@gmail.com> writes:
>
> > Isn't a single (rather small) hash value enough for almost all users?
>
> Using multiple hashes gives us some theoretical robustness against a break
> in one of the hash functions provided that all clients check all the
> hashes and the hashes would fail independently (which is likely).
I would like to see some supporting evidence for the claim that they
will likely fail independently. In particular given that they are all
the same construct.
> The
> basic idea is that it's much harder to come up with a simultaneoush hash
> collision with both SHA-1 and SHA-2 than breaking either of them
> independently.
ISTR reading papers that put this "much harder" into doubt. But I can't
find those references, alas.
I think just having a single, strong hash in Packages ought to be
sufficient.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
Reply to: