Bug 103462
Summary: | SHA1 instead of MD5 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petri T. Koistinen <thoron> |
Component: | distribution | Assignee: | Mark J. Cox <mjc> |
Status: | CLOSED DEFERRED | QA Contact: | Mike McLean <mikem> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 1 | CC: | barryn, mharris, mitr |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-09-01 09:16:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petri T. Koistinen
2003-08-31 10:57:51 UTC
Move to it where, in what context? As I told you in IRC, MD5 is not proprietary. http://dictionary.reference.com/search?q=proprietary pro·pri·e·tar·y Audio pronunciation of proprietary ( P ) Pronunciation Key (pr-pr-tr) adj. 1. Of, relating to, or suggestive of a proprietor or to proprietors as a group: had proprietary rights; behaved with a proprietary air in his friend's house. 2. Exclusively owned; private: a proprietary hospital. 3. Owned by a private individual or corporation under a trademark or patent: a proprietary drug. The RFC: http://asg.web.cmu.edu/rfc/rfc1321.html The unofficial homepage, with legal disclaimer and license terms: http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html I'm not quite sure what you think is proprietary about MD5. Ok, let's refrase: SHA1 hash is longer, so it's more secure. Please, consider starting using it in place of MD5 when possible. Like in security announcements. All the packages distributed by Red Hat as part of our advisories are signed with the Red Hat package signing key. Checking this signature is done automatically for people using our update tools, and we do encourage users to manually check it if downloading for themselves. This reduces the need for us to list individual checksums. If the MD5 sums in our advisories were the sole mechanism for our users to check the packages they were downloading then we'd be more likely to move to SHA1. I believe that MD5 sums are fit for the purpose that we use them for, so moving to deferred; we'll look at this again if any of the conditions change. |