Red Hat Bugzilla – Bug 133203
MD5SUMS is no longer appropriate
Last modified: 2007-11-30 17:10:49 EST
Given the MD5 and SHA0 cracks the use of MD5 to sign CD images,
especially ones that are large and easily padded with new data should
be phased out in favour of something like SHA1SUMS.
Assigning to release engineering.
To guard against a possible future vulnerability in SHA1 (or any
hashing algorithm), why not provide multiple checksums?
All checksums must be okay for the package (etc) to be installed.
Reassigning to Jeremy since the implant utility is included in the anaconda packages.
I don't think that Alan is caring about what's embedded in the ISO here...
that's really just an arbitrary checksum to ensure we can read all of the disc.
The bigger concern is the distributed MD5SUMs which you can then use externally
to verify that the ISO you got is the same one we distributed.
Rather than forever switch checksum algoriths to something which
hasn't been broken yet, why not provide multiple checksums?
Difficult to break..
The script used to prep an FC tree has been switched to use SHA1
instead of MD5 (which hasn't really been "broken", but anyways...)
Time for multiple hashes?
NetBSD have switched to using multiple checksums.
"the pkgsrc infrastructure has been changed to use multiple digest
algorithms for distfiles and distpatches, and all the distinfo files
in pkgsrc have been updated, where possible, to use multiple checksums."