Re: md5sums files
- To: email@example.com
- Cc: firstname.lastname@example.org
- Subject: Re: md5sums files
- From: Goswin von Brederlow <email@example.com>
- Date: Fri, 05 Mar 2010 19:54:29 +0100
- Message-id: <firstname.lastname@example.org>
- In-reply-to: <4B8EB3B6.email@example.com> (Bernd Zeimetz's message of "Wed, 03 Mar 2010 20:08:38 +0100")
- References: <20100303020620.GA17083@celtic.nixsys.be> <firstname.lastname@example.org> <email@example.com> <20100303104725.GA18778@celtic.nixsys.be> <firstname.lastname@example.org> <4B8EB3B6.email@example.com>
Bernd Zeimetz <firstname.lastname@example.org> writes:
> Philipp Kern wrote:
>> On 2010-03-03, Wouter Verhelst <email@example.com> wrote:
>>> This is where I disagree. When a checksum algorithm is compromised (and
>>> MD5 *is* compromised), things only ever get worse, not better. Indeed,
>>> MD5 preimage attacks are pretty hard *today*. But switching to something
>>> more secure in preparation for the day when MD5 will be easily cracked
>>> by every script kiddo around is *not* overkill.
>> Sure, but to be honest, not even all packages managed to generate md5sums
>> 'till now (with some quite core, omnipresent packages missing) so it seems out
>> of scope for squeeze. Maybe squeeze+1.
> I think its about time to require to generate checksums for packages and make
> all packages which do not do so RC buggy.
If a checksum file becomes required then it really is not the job of the
package to build it. Instead dpkg should generate one and include it
automatically. And given the widespread generation of md5sum files that
really should be automated anyway.
This would go nicely with changing the checksum algorithm. Just prepare
a patch for dpkg to generate a sha256sum file automatically when it
builds a deb and then packages can stop generating md5sum files over