RPM submission procedure
Florian La Roche
laroche at redhat.com
Thu Jan 8 14:36:49 UTC 2004
On Thu, Jan 08, 2004 at 09:02:07AM -0500, Alan Cox wrote:
> On Wed, Jan 07, 2004 at 08:41:52PM -0500, seth vidal wrote:
> > > (BTW SHA please MD5 has flaws 8)
> > What flaws in particular?
> >
> > I'm not disagreeing I'm just not aware of them and am also curious why
> > rpm --dump sompkgname still lists md5sums of files instead of sha1sum's.
>
> I guess because nobody hash changed systems yet. Its not a pressing problem.
> Of the 3 MD hash functions MD4 is broken entirely nowdays. MD2 has some
> known limits which are not serious and MD5. Its currently estimated that
> it would take someone several days to find an MD5 collision using custom
> hardware because MD5 has some cryptoanalytic weaknesses.
>
> SHA-1 (the original SHA-0 was broken) is a somewhat strong algorithm that
> also has the advantage that people like the US government like it and
> its part of FIPS PUB 180-2.
>
> At the moment I don't believe (but I am not a cryptographer!) that MD5
> is a problem, but it is very likely to become so as machines get faster.
I think md5 is only looked at if the rpm is not gpg-signed. At that
point you should get sha1 checksumming, right? So md5 is anyway only
a crc value, not something you rely on with the current tools.
greetings,
Florian La Roche
More information about the fedora-devel-list
mailing list