29 Nov
2008
29 Nov
'08
2:05 p.m.
On Sat, 29 Nov 2008 15:00:20 +0100, Thomas Bächler <thomas@archlinux.org> wrote:
If this is to provide any security, we need to stop using md5! md5 is okay when trying to detect corrupted downloads, however it is possible to find collisions and thus build a "bad" package that has the same md5 as the good package.
Well, it should be quite easy to use sha instead. I am not an expert but how easy is it to produce a valid package with the same md5sum? I know that creating "some" file is not hard. -- Pierre Schmitz Clemens-August-Straße 76 53115 Bonn Telefon 0228 9716608 Mobil 0160 95269831 Jabber pierre@jabber.archlinux.de WWW http://www.archlinux.de