Bug#423902: apt should use both md5 and sha1

To: Thomas Geyer <geyerth@googlemail.com>, 423902@bugs.debian.org
Subject: Bug#423902: apt should use both md5 and sha1
From: Michael Vogt <mvogt@acm.org>
Date: Fri, 8 Jun 2007 22:12:46 +0200
Message-id: <[🔎] 20070608201246.GD20230@top.ping.de>
Reply-to: Michael Vogt <mvogt@acm.org>, 423902@bugs.debian.org
In-reply-to: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
References: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>

On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
> 
> 
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
> 
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.

There is a sha256 branch in bzr already that should solve this problem
in the future. As Colin pointed out, just using both hashes will not
improve security.

Cheers,
 Michael

Reply to:

Follow-Ups:
- Bug#423902: apt should use both md5 and sha1
  - From: "Paul Check" <paul@openstreet.com>

Prev by Date: Bug#424185: apt-utils: Invalid archive signature
Next by Date: Bug#422105: apt-get install -t unstable gimp wants to install gimp-help-zh-cn
Previous by thread: Bug#423902: apt should use both md5 and sha1
Next by thread: Bug#423902: apt should use both md5 and sha1
Index(es):
- Date
- Thread