Hi, I'm sorry but I want to amend myself… On Sat, Jan 21, 2017 at 05:34:41PM +0000, Holger Levsen wrote: > > > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > > > do we want to be joked about?) > > I'm not sure why you say this. More than one hash is strictly better > > than just one. > well, yes, that's true. somewhat. as explained this, also can be harmful: > OTOH, not throwing away the support for md5sums > will never allow us to be sure that we're not still relying on md5sums > somewhere. and even Oracle does this better than Debian soon: "Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running." - via https://developers.slashdot.org/story/17/01/21/0538232/ We really ought to do the same. I'm all for keeping sha1+sha256, but please let's *completely* drop md5sums for buster. -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature