Bug#423902: apt should use both md5 and sha1
On Fri, Jun 08, 2007 at 10:12:46PM +0200, Michael Vogt wrote:
> On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> > Package: apt
> > Version: 0.6.46.4
> > Severity: wishlist
> >
> > Collisions for md5 and sha1 were found allready,
> > so it's likely, that in the nearer future one of them alone won't be
> > safe enough.
> >
> > Since it is harder to find collisions for two checksums than for one,
> > apt should use both of them at the same time for verifying packages.
>
> There is a sha256 branch in bzr already that should solve this problem
> in the future. As Colin pointed out, just using both hashes will not
> improve security.
This sha256 has been merged since apt 0.7.7, I guess this bug is no
longer applicable.
apt (0.7.7) unstable; urgency=low
[ Michael Vogt ]
[..]
* merged apt--sha256 branch to fully support the new
sha256 checksums in the Packages and Release files
(ABI break)
--
Simon Paillard
Reply to: