[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155676: patch] dynamic sha1sums generation



On Tue, Aug 06, 2002 at 01:04:23AM -0400, Colin Walters wrote:
> I chose SHA1 over using MD5 because I've heard word going around that
> while MD5 isn't insecure, it is less secure than previously thought. 
> Specifically that if you can control the size of the file as well, it's
> easier to find a matching MD5 sum.  

AIUI, that's usually avoided by listing the file size as well as the
md5sum. At the very least listing the expected file size gives you a
very easy check for a lot of accidental corruption.

> Plus, using
> /var/lib/dpkg/info/foo.sha1sums avoids a naming conflict with the
> foo.md5sums file.

Wouldn't it be more sensible to put it in

	/var/lib/dpkg/checksums/foo.sha1

or similar?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''



Reply to: