Re: Time to replace MD5?
* Henrique de Moraes Holschuh:
> On Tue, 12 Jun 2007, Touko Korpela wrote:
>> Debian Security Advisories currently contain MD5 checksums. As MD5 is no
>> longer strong enough, maybe it should be replaced by SHA1 or SHA256?
>
> When combined with size information
Size information doesn't buy you that much.
> AND the fact that it needs to be a valid .deb archive, they are
> probably more than strong enough.
That, and the "evil twin" package would have to be prepared by the
securty team as well, which isn't a relevant scenario (because they
could put a backdoor in the original without attacking the hash).
Reply to: