Bug 103462 - SHA1 instead of MD5
SHA1 instead of MD5
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Mark J. Cox (Product Security)
Mike McLean
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2003-08-31 06:57 EDT by Petri T. Koistinen
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-09-01 05:16:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petri T. Koistinen 2003-08-31 06:57:51 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030827 Galeon/1.3.7

Description of problem:
I think Red Hat should move from RSA Data Security, Inc. propietary MD5 algoritm
to more secure SHA1.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:


Additional info:

US Secure Hash Algorithm 1 (SHA1):

Comment 1 Bill Nottingham 2003-08-31 21:47:03 EDT
Move to it where, in what context?
Comment 2 Mike A. Harris 2003-08-31 23:16:39 EDT
As I told you in IRC, MD5 is not proprietary.


pro·pri·e·tar·y   Audio pronunciation of proprietary ( P )  Pronunciation Key 

   1. Of, relating to, or suggestive of a proprietor or to proprietors as a
group: had proprietary rights; behaved with a proprietary air in his friend's house.
   2. Exclusively owned; private: a proprietary hospital.
   3. Owned by a private individual or corporation under a trademark or patent:
a proprietary drug.

The RFC:

The unofficial homepage, with legal disclaimer and license terms:

I'm not quite sure what you think is proprietary about MD5.
Comment 3 Petri T. Koistinen 2003-09-01 01:11:34 EDT
Ok, let's refrase: SHA1 hash is longer, so it's more secure. Please, consider
starting using it in place of MD5 when possible. Like in security announcements.
Comment 4 Mark J. Cox (Product Security) 2003-09-01 05:16:09 EDT
All the packages distributed by Red Hat as part of our advisories are signed
with the Red Hat package signing key.  Checking this signature is done
automatically for people using our update tools, and we do encourage users to
manually check it if downloading for themselves.  This reduces the need for us
to list individual checksums.  

If the MD5 sums in our advisories were the sole mechanism for our users to check
the packages they were downloading then we'd be more likely to move to SHA1.  

I believe that MD5 sums are fit for the purpose that we use them for, so moving
to deferred; we'll look at this again if any of the conditions change.

Note You need to log in before you can comment on or make changes to this bug.