[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)


I'm sorry but I want to amend myself…

On Sat, Jan 21, 2017 at 05:34:41PM +0000, Holger Levsen wrote:
> > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long
> > > do we want to be joked about?)
> > I'm not sure why you say this. More than one hash is strictly better
> > than just one.
> well, yes, that's true. 

somewhat. as explained this, also can be harmful:

> OTOH, not throwing away the support for md5sums
> will never allow us to be sure that we're not still relying on md5sums
> somewhere.

and even Oracle does this better than Debian soon: "Oracle says that
starting with April 18, 2017, Java (JRE) will treat all JAR files signed
with the MD5 algorithm as unsigned, meaning they'll be considered insecure and
blocked from running." - via https://developers.slashdot.org/story/17/01/21/0538232/

We really ought to do the same. I'm all for keeping sha1+sha256, but
please let's *completely* drop md5sums for buster.


Attachment: signature.asc
Description: Digital signature

Reply to: