Re: md5 hashes used in security announcements
On Fri, Oct 24, 2008 at 10:35:52PM +0200, Sjors Gielen wrote:
> Kees Cook wrote:
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement. The Release and Packages files for the archive have SHA1
> > and SHA256. The md5 from the announcement is almost not important,
> > IMO -- no one should download files individually from the announcement.
> So if the Release and Packages files are using SHA1 and SHA256, why
> aren't the announcements?
That's up to the people that control the template, but I would assume
because the template is based off of the changes files which until very
recently, only had md5s. And besides, why make the announcement emails
even longer? :)
Kees Cook @outflux.net