Gentoo Archives: gentoo-dev

From: Chris White <chriswhite@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Notification about MD5 support
Date: Fri, 22 Sep 2006 17:19:29
Message-Id: 200609221016.16186.chriswhite@gentoo.org
In Reply to: Re: [gentoo-dev] Notification about MD5 support by "Hanno Böck"
On Thursday 21 September 2006 08:54, Hanno Böck wrote:
> I think sha256/512 is the only thing that makes sense at the moment, as it > most probably will stay secure for quite a while and we don't have real > alternatives. So imho use sha256, get rid of everything else, because that > rarely improves security, and wait for the nist to define something new > (which will happen, but probably take some years from now).
Well, the problem that occurs here is the verification process. With MD5, you can hit most upstream sites, and they'll have an MD5SUM avaliable that you can authenticate against. With SHA256, you would need an upstream that actually implements them as hashes for release notifications. Without this sort of verification, there's a better chance of someone putting out some kind of exploit tarball, us hashing it as per the usual, and the whole purpose gets defeated. Yes, you can consider that developers should be going in and checking the changes, etc., but the problem it's something a lot of devs would be less likely to do versus an easy md5sum lookup. -- Chris White Gentoo Developer aka: xxxxxx (Scissors Were Here) xxxxxx

Replies

Subject Author
Re: [gentoo-dev] Notification about MD5 support Vlastimil Babka <caster@g.o>