Re: [CentOS-announce] Using sha256sum instead of md5sum for package checksums

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Monday 12 December 2011, Johnny Hughes <johnny@xxxxxxxxxx> wrote:

> There are known Collision Attacks for the MD5SUM method of hashing,
>  so it is possible to modify a file and make it have the same MD5SUM
>  as another file.  See this link for details on Collision Attacks:
> 
> http://en.wikipedia.org/wiki/Collision_attack
> 
> Recommendation from the US-CERT concerning MD5SUM hashes:
> 
> http://www.kb.cert.org/vuls/id/836068
> 
> Based on the above information, the CentOS team will be using
>  sha256sum (sha-2) and not md5sum to generate future hashes for
>  posting on our e-mail announcements to the CentOS Announce Mailing
>  List.

MD5 is certainly broken, but would it be sufficient to go to sha1sum? 
According to my quick testing, sha256sum takes twice as long as sha1sum.

-- 
Yves Bellefeuille <yan@xxxxxxxx>
"La Esperanta Civito ne rifuzas anticipe la kunlaboron de erarintoj, se
ili konscias pri sia eraro." -- Heroldo Komunikas, n-ro 473.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux