Bug#423902: apt should use both md5 and sha1
On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
>
>
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
>
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.
There is a sha256 branch in bzr already that should solve this problem
in the future. As Colin pointed out, just using both hashes will not
improve security.
Cheers,
Michael
Reply to: