Bug 133203 - MD5SUMS is no longer appropriate
Summary: MD5SUMS is no longer appropriate
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: distribution
Version: 3
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-22 13:50 UTC by Alan Cox
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-12-03 19:35:19 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Alan Cox 2004-09-22 13:50:16 UTC
Given the MD5 and SHA0 cracks the use of MD5 to sign CD images,
especially ones that are large and easily padded with new data should
be phased out in favour of something like SHA1SUMS.

Comment 1 Bill Nottingham 2004-09-22 19:23:22 UTC
Assigning to release engineering.

Comment 2 Need Real Name 2004-09-24 08:51:15 UTC
To guard against a possible future vulnerability in SHA1 (or any
hashing algorithm), why not provide multiple checksums?

All checksums must be okay for the package (etc) to be installed.

Comment 3 Tim Powers 2004-10-15 14:32:30 UTC
Reassigning to Jeremy since the implant utility is included in the anaconda packages.

Comment 4 Jeremy Katz 2004-10-15 19:47:54 UTC
I don't think that Alan is caring about what's embedded in the ISO here...
that's really just an arbitrary checksum to ensure we can read all of the disc.
 The bigger concern is the distributed MD5SUMs which you can then use externally
to verify that the ISO you got is the same one we distributed.

Comment 5 Need Real Name 2004-10-18 11:52:56 UTC
Rather than forever switch checksum algoriths to something which 
hasn't been broken yet, why not provide multiple checksums?
Difficult to break..

Comment 6 Elliot Lee 2004-12-03 19:35:19 UTC
The script used to prep an FC tree has been switched to use SHA1
instead of MD5 (which hasn't really been "broken", but anyways...)

Comment 7 Need Real Name 2005-02-16 10:30:11 UTC
Time for multiple hashes?
 http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Comment 8 Need Real Name 2005-03-10 14:25:08 UTC
NetBSD have switched to using multiple checksums.

"the pkgsrc infrastructure has been changed to use multiple digest
algorithms for distfiles and distpatches, and all the distinfo files
in pkgsrc have been updated, where possible, to use multiple checksums."
 -- http://mail-index.netbsd.org/tech-pkg/2005/03/07/0023.html


Note You need to log in before you can comment on or make changes to this bug.