Red Hat Bugzilla – Bug 480038
RFE: support stronger hashes than MD5
Last modified: 2010-06-10 16:53:52 EDT
MD5 has known weaknesses and should be eventually phased out, it would be nice if newer hashes (such as SHA-2) were supported. The data currently created by implantisomd5 consume less than half of the application area, so there is enough space for adding a single SHA-256 hash computed over the whole image, which should not break compatibility with older versions of checkisomd5.
Given that collision resistance isn't at all the concern behind having the embedded md5sum, I'm not sure that it's really a case that we have to switch.
Switching to a single SHA-256 would mean that we lose the incremental checking which is actually very useful in the case of the failure mode to speed up failing.
I suggested adding a single SHA-256 hash, not removing anything.
Or perhaps add a SHA-256 hash, SHA-256 fragment sums, and keep a single MD5 sum to allow mediacheck when booting from an older medium.
(But you're right, the justification to add this feature is pretty weak.)
We will consider patches sent to email@example.com, but are unlikely to implement this on our own.