Bug 133203 - MD5SUMS is no longer appropriate
MD5SUMS is no longer appropriate
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: Elliot Lee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-22 09:50 EDT by Alan Cox
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-03 14:35:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Cox 2004-09-22 09:50:16 EDT
Given the MD5 and SHA0 cracks the use of MD5 to sign CD images,
especially ones that are large and easily padded with new data should
be phased out in favour of something like SHA1SUMS.
Comment 1 Bill Nottingham 2004-09-22 15:23:22 EDT
Assigning to release engineering.
Comment 2 Need Real Name 2004-09-24 04:51:15 EDT
To guard against a possible future vulnerability in SHA1 (or any
hashing algorithm), why not provide multiple checksums?

All checksums must be okay for the package (etc) to be installed.
Comment 3 Tim Powers 2004-10-15 10:32:30 EDT
Reassigning to Jeremy since the implant utility is included in the anaconda packages.
Comment 4 Jeremy Katz 2004-10-15 15:47:54 EDT
I don't think that Alan is caring about what's embedded in the ISO here...
that's really just an arbitrary checksum to ensure we can read all of the disc.
 The bigger concern is the distributed MD5SUMs which you can then use externally
to verify that the ISO you got is the same one we distributed.
Comment 5 Need Real Name 2004-10-18 07:52:56 EDT
Rather than forever switch checksum algoriths to something which 
hasn't been broken yet, why not provide multiple checksums?
Difficult to break..
Comment 6 Elliot Lee 2004-12-03 14:35:19 EST
The script used to prep an FC tree has been switched to use SHA1
instead of MD5 (which hasn't really been "broken", but anyways...)
Comment 7 Need Real Name 2005-02-16 05:30:11 EST
Time for multiple hashes?
 http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
Comment 8 Need Real Name 2005-03-10 09:25:08 EST
NetBSD have switched to using multiple checksums.

"the pkgsrc infrastructure has been changed to use multiple digest
algorithms for distfiles and distpatches, and all the distinfo files
in pkgsrc have been updated, where possible, to use multiple checksums."
 -- http://mail-index.netbsd.org/tech-pkg/2005/03/07/0023.html

Note You need to log in before you can comment on or make changes to this bug.