Le quintidi 5 ventôse, an CCXXIV, Thomas Schmitt a écrit : > Only as far as use cases for Debian ISO image hashs are concerned. > No hash collisions among all Debian ISOs (or better all ISOs in the > world) is a valuable property. ??? I have no idea what you are talking about. > If the SHA512SUMS.sign Stop right there. Signing a bunch of hashes is a beginner's mistake, I have already emphasized that in this thread. It is rather sad that Debian made that mistake. > So the strength of PGP relative to the strength of the used > combined checksums does matter. Not if the signature is done correctly, on the data itself and not a derivative. > But as said previously, the biggest danger is in evil package sources. This is completely unrelated. And as a side note, I rely on Debian packagers to be on the watch. > MD5 is much less prone than are us upstreamers. > (What shall i do if the Bundesnachrichtendienst rings my doorbell, > has the Verfassungsschutz in tow, plus a bailiff and two police > officers, while an armed drone is cycling over my house ?) ??? > As long as no intentional covert manipulations are to fear, MD5 > will suffice for any reasonable degree of certainty. I blame you for giving advice without knowing the problem. > On my machines of the last 10 years, MD5 computation was always > faster than hard disk reading. Ever heard of cache? > As for CRC, a skilled choice of two different divisor > polynomials is supposed to yield two independent 32 bit sums. > (The polynomials should at least not be multiples of each other.) The polynomials must be irreducible to yield a correct CRC32. That rules out them being multiples of each other.
Attachment:
signature.asc
Description: Digital signature