1 |
Mike Frysinger wrote: |
2 |
> ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're |
3 |
> going to be leaving an insecure format, we might as well keep the one that is |
4 |
> a virtual standard in and of itself (MD5) |
5 |
> -mike |
6 |
|
7 |
GLEP 44 says: |
8 |
<snip> |
9 |
For compability though we have to rely on at least one hash function to |
10 |
always be present, this proposal suggest to use SHA1 for this purpose |
11 |
(as it is supposed to be more secure than MD5 and currently only SHA1 |
12 |
and MD5 are directly available in python, also MD5 doesn't have any |
13 |
benefit in terms of compability). |
14 |
</snip> |
15 |
|
16 |
Although the "more secure than MD5" part is now questionable, I suppose |
17 |
the "directly available in python" part still holds? One point of the |
18 |
GLEP is to make tree smaller, so why keep more insecure formats when the |
19 |
room they would occupy can be used for more secure formats like |
20 |
sha256/512, although those can't be deemed the mandatory ones because |
21 |
they're not directly in python. |
22 |
So if both MD5 and SHA1 are now insecure but one of them needs to be the |
23 |
mandatory one, the question is, is it still harder to crack SHA1 than |
24 |
MD5? If yes, then just forget MD5. |
25 |
|
26 |
-- |
27 |
Vlastimil Babka (Caster) |
28 |
Gentoo/Java |
29 |
-- |
30 |
gentoo-dev@g.o mailing list |