Gentoo Archives: gentoo-dev

From: Vlastimil Babka <caster@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Notification about MD5 support
Date: Thu, 21 Sep 2006 14:54:53
Message-Id: 4512A694.5070208@gentoo.org
In Reply to: Re: [gentoo-dev] Notification about MD5 support by Mike Frysinger
Mike Frysinger wrote:
> ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're > going to be leaving an insecure format, we might as well keep the one that is > a virtual standard in and of itself (MD5) > -mike
GLEP 44 says: <snip> For compability though we have to rely on at least one hash function to always be present, this proposal suggest to use SHA1 for this purpose (as it is supposed to be more secure than MD5 and currently only SHA1 and MD5 are directly available in python, also MD5 doesn't have any benefit in terms of compability). </snip> Although the "more secure than MD5" part is now questionable, I suppose the "directly available in python" part still holds? One point of the GLEP is to make tree smaller, so why keep more insecure formats when the room they would occupy can be used for more secure formats like sha256/512, although those can't be deemed the mandatory ones because they're not directly in python. So if both MD5 and SHA1 are now insecure but one of them needs to be the mandatory one, the question is, is it still harder to crack SHA1 than MD5? If yes, then just forget MD5. -- Vlastimil Babka (Caster) Gentoo/Java -- gentoo-dev@g.o mailing list

Replies

Subject Author
Re: [gentoo-dev] Notification about MD5 support Mike Frysinger <vapier@g.o>
Re: [gentoo-dev] Notification about MD5 support "Hanno Böck" <hanno@g.o>