RPM submission procedure
Alan Cox
alan at redhat.com
Thu Jan 8 14:02:07 UTC 2004
On Wed, Jan 07, 2004 at 08:41:52PM -0500, seth vidal wrote:
> > (BTW SHA please MD5 has flaws 8)
> What flaws in particular?
>
> I'm not disagreeing I'm just not aware of them and am also curious why
> rpm --dump sompkgname still lists md5sums of files instead of sha1sum's.
I guess because nobody hash changed systems yet. Its not a pressing problem.
Of the 3 MD hash functions MD4 is broken entirely nowdays. MD2 has some
known limits which are not serious and MD5. Its currently estimated that
it would take someone several days to find an MD5 collision using custom
hardware because MD5 has some cryptoanalytic weaknesses.
SHA-1 (the original SHA-0 was broken) is a somewhat strong algorithm that
also has the advantage that people like the US government like it and
its part of FIPS PUB 180-2.
At the moment I don't believe (but I am not a cryptographer!) that MD5
is a problem, but it is very likely to become so as machines get faster.
More information about the fedora-devel-list
mailing list