Red Hat Bugzilla – Bug 103462
SHA1 instead of MD5
Last modified: 2007-11-30 17:10:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030827 Galeon/1.3.7
Description of problem:
I think Red Hat should move from RSA Data Security, Inc. propietary MD5 algoritm
to more secure SHA1.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
US Secure Hash Algorithm 1 (SHA1):
SECURE HASH STANDARD:
Move to it where, in what context?
As I told you in IRC, MD5 is not proprietary.
proÂ·priÂ·eÂ·tarÂ·y Audio pronunciation of proprietary ( P ) Pronunciation Key
1. Of, relating to, or suggestive of a proprietor or to proprietors as a
group: had proprietary rights; behaved with a proprietary air in his friend's house.
2. Exclusively owned; private: a proprietary hospital.
3. Owned by a private individual or corporation under a trademark or patent:
a proprietary drug.
The unofficial homepage, with legal disclaimer and license terms:
I'm not quite sure what you think is proprietary about MD5.
Ok, let's refrase: SHA1 hash is longer, so it's more secure. Please, consider
starting using it in place of MD5 when possible. Like in security announcements.
All the packages distributed by Red Hat as part of our advisories are signed
with the Red Hat package signing key. Checking this signature is done
automatically for people using our update tools, and we do encourage users to
manually check it if downloading for themselves. This reduces the need for us
to list individual checksums.
If the MD5 sums in our advisories were the sole mechanism for our users to check
the packages they were downloading then we'd be more likely to move to SHA1.
I believe that MD5 sums are fit for the purpose that we use them for, so moving
to deferred; we'll look at this again if any of the conditions change.