[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Time to replace MD5?

On Wed, Jun 13, 2007 at 10:37:26AM -0300, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Wed, 13 Jun 2007, Florian Weimer wrote:
> > > On Tue, 12 Jun 2007, Touko Korpela wrote:
> > >> Debian Security Advisories currently contain MD5 checksums. As MD5 is no 
> > >> longer strong enough, maybe it should be replaced by SHA1 or SHA256?
> > >
> > > When combined with size information 
> > 
> > Size information doesn't buy you that much.
> 
> When we are talking about a binary blob that matches the *same* md5sum? Yes,
> it does.  Causing a MD5 colision with a message of the same size is far more
> difficult.

Especially when it has to be a valid .deb file (which means an ar archive of
2 correctly gzipped tar files)

Mike
Reply to: