Bug 480038

Summary: RFE: support stronger hashes than MD5
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: isomd5sumAssignee: Radek Vykydal <rvykydal>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: apevec, jgreguske, kloczko.tomasz, ovirt-maint, sgrubb
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-26 23:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 461972, 477043    

Description Miloslav Trmač 2009-01-14 17:20:56 UTC
MD5 has known weaknesses and should be eventually phased out, it would be nice if newer hashes (such as SHA-2) were supported.  The data currently created by implantisomd5 consume less than half of the application area, so there is enough space for adding a single SHA-256 hash computed over the whole image, which should not break compatibility with older versions of checkisomd5.

Comment 2 Jeremy Katz 2009-01-14 17:57:03 UTC
Given that collision resistance isn't at all the concern behind having the embedded md5sum, I'm not sure that it's really a case that we have to switch.  

Switching to a single SHA-256 would mean that we lose the incremental checking which is actually very useful in the case of the failure mode to speed up failing.

Comment 3 Miloslav Trmač 2009-01-14 18:07:46 UTC
I suggested adding a single SHA-256 hash, not removing anything.

Or perhaps add a SHA-256 hash, SHA-256 fragment sums, and keep a single MD5 sum to allow mediacheck when booting from an older medium.

(But you're right, the justification to add this feature is pretty weak.)

Comment 4 Chris Lumens 2009-09-04 20:12:23 UTC
We will consider patches sent to anaconda-maint-list, but are unlikely to implement this on our own.

Comment 11 Tomasz Kłoczko 2018-01-26 23:25:19 UTC
Agree with Chris Lumens.
If someone will post the patch it can be integrated.
Closing.