| 1 |
Mike Frysinger wrote: |
| 2 |
> ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're |
| 3 |
> going to be leaving an insecure format, we might as well keep the one that is |
| 4 |
> a virtual standard in and of itself (MD5) |
| 5 |
> -mike |
| 6 |
|
| 7 |
GLEP 44 says: |
| 8 |
<snip> |
| 9 |
For compability though we have to rely on at least one hash function to |
| 10 |
always be present, this proposal suggest to use SHA1 for this purpose |
| 11 |
(as it is supposed to be more secure than MD5 and currently only SHA1 |
| 12 |
and MD5 are directly available in python, also MD5 doesn't have any |
| 13 |
benefit in terms of compability). |
| 14 |
</snip> |
| 15 |
|
| 16 |
Although the "more secure than MD5" part is now questionable, I suppose |
| 17 |
the "directly available in python" part still holds? One point of the |
| 18 |
GLEP is to make tree smaller, so why keep more insecure formats when the |
| 19 |
room they would occupy can be used for more secure formats like |
| 20 |
sha256/512, although those can't be deemed the mandatory ones because |
| 21 |
they're not directly in python. |
| 22 |
So if both MD5 and SHA1 are now insecure but one of them needs to be the |
| 23 |
mandatory one, the question is, is it still harder to crack SHA1 than |
| 24 |
MD5? If yes, then just forget MD5. |
| 25 |
|
| 26 |
-- |
| 27 |
Vlastimil Babka (Caster) |
| 28 |
Gentoo/Java |
| 29 |
-- |
| 30 |
gentoo-dev@g.o mailing list |
Archives