SHA1 and 256 (again) :)

Stephen John Smoogen smooge at
Thu Nov 19 01:33:05 UTC 2009

On Wed, Nov 18, 2009 at 5:39 PM, Rahul Sundaram
<sundaram at> wrote:
> On 11/19/2009 06:04 AM, Ladislav Bodnar wrote:
>> On Thursday 19 November 2009, Rahul Sundaram wrote:
>>> Note that changing HASH: SHA1 to anything else in the top of the file
>>> will make the gpg check fail since it writes it out that way. So it's
>>> sort of a tricky issue to solve. Not sloppiness.
>> Maybe it would be simpler to call the file SHA256SUM (or SHA256) instead of
>> CHECKSUM? As far as I remember, these files used to be called MD5SUM, then
>> SHA1SUM, which made it very clear what was inside. But with so many
>> different checksum standards, calling the file CHECKSUM is bound to lead to
>> confusion.
> I think the generic name was picked up because nobody believes that
> SHA256 hashes are going to be cryptographically secure for a long time
> and we are bound to switch to stronger checksums over a period of time
> but I think, a clear filename does make it more easier to avoid this
> mass confusion. Jesse Keating?

That would be my guess also. My guess is that when the NIST new
checksum is decided and published that will be the tools to work with.
Looking for windows tools.. I only found ones that were Cygwin based..
it would be interesting to see if they can be ported to use MinGW #this has tools for sha256 and works
under cygwin.

Some sites use multiple checksums but there are pros and cons that I
have heard various cryptoanalysts argue about and I am no clearer
which ones are right :).

Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

More information about the fedora-test-list mailing list