Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Chris White <chriswhite@g.o>
Subject: Re: Notification about MD5 support
Date: Fri, 22 Sep 2006 10:16:12 -0700
On Thursday 21 September 2006 08:54, Hanno Böck wrote:
> I think sha256/512 is the only thing that makes sense at the moment, as it
> most probably will stay secure for quite a while and we don't have real
> alternatives. So imho use sha256, get rid of everything else, because that
> rarely improves security, and wait for the nist to define something new
> (which will happen, but probably take some years from now).

Well, the problem that occurs here is the verification process.  With MD5, you 
can hit most upstream sites, and they'll have an MD5SUM avaliable that you 
can authenticate against.  With SHA256, you would need an upstream that 
actually implements them as hashes for release notifications.  Without this 
sort of verification, there's a better chance of someone putting out some 
kind of exploit tarball, us hashing it as per the usual, and the whole 
purpose gets defeated.  Yes, you can consider that developers should be going 
in and checking the changes, etc., but the problem it's something a lot of 
devs would be less likely to do versus an easy md5sum lookup.

-- 
Chris White
Gentoo Developer aka:
xxxxxx (Scissors Were Here) xxxxxx
Attachment:
pgpFShJjUJ0hu.pgp (PGP signature)
Replies:
Re: Notification about MD5 support
-- Vlastimil Babka
References:
Notification about MD5 support
-- Marius Mauch
Re: Notification about MD5 support
-- Vlastimil Babka
Re: Notification about MD5 support
-- Hanno Böck
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Notification about MD5 support
Next by thread:
Re: Notification about MD5 support
Previous by date:
Re: Notification about MD5 support
Next by date:
Re: Re: Delay in approval of new developers


Updated Jun 17, 2009

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.