Re: Time to replace MD5?

To: Henrique de Moraes Holschuh <hmh@debian.org>
Cc: Touko Korpela <tkorpela@phnet.fi>, debian-security@lists.debian.org
Subject: Re: Time to replace MD5?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 13 Jun 2007 10:24:00 +0200
Message-id: <[🔎] 87ir9stg7z.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20070612210425.GA7227@khazad-dum.debian.net> (Henrique de Moraes Holschuh's message of "Tue, 12 Jun 2007 18:04:25 -0300")
References: <[🔎] 20070612204123.GA2403@norsu.vuoristo.local> <[🔎] 20070612210425.GA7227@khazad-dum.debian.net>

* Henrique de Moraes Holschuh:

> On Tue, 12 Jun 2007, Touko Korpela wrote:
>> Debian Security Advisories currently contain MD5 checksums. As MD5 is no 
>> longer strong enough, maybe it should be replaced by SHA1 or SHA256?
>
> When combined with size information 

Size information doesn't buy you that much.

> AND the fact that it needs to be a valid .deb archive, they are
> probably more than strong enough.

That, and the "evil twin" package would have to be prepared by the
securty team as well, which isn't a relevant scenario (because they
could put a backdoor in the original without attacking the hash).

Reply to:

Follow-Ups:
- Re: Time to replace MD5?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Time to replace MD5?
  - From: Steffen Schulz <pepe_ml@gmx.net>

References:
- Time to replace MD5?
  - From: Touko Korpela <tkorpela@phnet.fi>
- Re: Time to replace MD5?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Latest OOo Etch update -7etch1 depends on different libneon
Next by Date: Re: Time to replace MD5?
Previous by thread: Re: Time to replace MD5?
Next by thread: Re: Time to replace MD5?
Index(es):
- Date
- Thread