checksum suggestion

[Bill Davidsen]

Tom Horsley wrote:
> There is little doubt that sometime soon some fiendish
> mathematician somewhere will discover that sha256sum
> is really hopelessly broken and only a fool would ever
> have used it, then we'll all have to switch to
> shaalephnullsum or some such :-).
> 
> How about we forestall all this nonsense by creating
> a new rpm that just has one symlink in it named
> 
> best-sum
> 
> Then everyone can just always use the best-sum program
> when checking isos, etc and when a new release comes
> out, it can come with a new best-sum package that installs
> the appropriate symlink to the appropriate actual
> checksum tool :-).
> 
I just posted a minuscule one liner in response to Stan's comment in the 
'sha256sum' thread, it could be a two liner and include your suggestion. Better 
yet would be to make the checksum file a shell script which one could source and 
  do the right thing no matter what comes in the future. That would be 
convenient for easily confused users.

But barring some huge breakthrough in computing power or theory, sha256sum will 
be safe for decades.

Security note: any checksum is only as secure as the source of the checksum. If 
you get the checksum from a fedora official site then sha256sum is better than 
md5sum to protect against deliberate tampering. But if you are checking to catch 
transmission errors, which are random, then md5sum will catch all but one in 
billions. In other words, if an evildoer were tampering with the ISO image, they 
would probably tamper with the checksum you got from the same place, so 
sha256sum is subject to deliberate attacks from that method.

I think I got my official checksums from the wiki, I did download mine from an 
official site, I am not a trusting person. ;-)

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot