Re: Archive no longer accepts uploads signed using SHA-1 or RIPE-MD/160

To: debian-devel@lists.debian.org
Subject: Re: Archive no longer accepts uploads signed using SHA-1 or RIPE-MD/160
From: Russ Allbery <rra@debian.org>
Date: Fri, 24 Feb 2017 13:42:13 -0800
Message-id: <[🔎] 87d1e7w9je.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20170224143857.sossexkweiml5tft@grep.be> (Wouter Verhelst's message of "Fri, 24 Feb 2017 15:38:57 +0100")
References: <87y3wyt2f8.fsf@deep-thought.43-1.org> <[🔎] 20170224143857.sossexkweiml5tft@grep.be>

Wouter Verhelst <wouter@debian.org> writes:

> Uhh? AFAIK, RIPEMD160 is not compromised at all, not even in a
> theoretical attack. Why was this part of the decision taken?

> (there is a theoretical attack against RIPEMD, but that is not the same
> thing as RIPEMD160)

Crypto folks have been dubious about RIPEMD160 for a while for new
applications, just because it's pretty old and doesn't have some of the
nice properties of modern hashes.  It's more proactive than SHA-1 to drop
it, but I support dropping it just as a precautionary measure.  There
isn't a good reason to keep using it so far as I know.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Archive no longer accepts uploads signed using SHA-1 or RIPE-MD/160
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: apt-get upgrade removing ifupdown on jessie→stretch upgrade
Next by Date: Re: sane chromium default flags - include --enable-remote-extensions
Previous by thread: Re: Archive no longer accepts uploads signed using SHA-1 or RIPE-MD/160
Next by thread: Bug#856158: ITP: g810-led -- LED configuration tool for Logitech G410/G610/G810/G910 keyboards
Index(es):
- Date
- Thread