2006/10/11, VMiklos <vmiklos@frugalware.org>:
Then why Frugalware guys use it instead of md5 now? What advantages it gives them? I'm just curious.
with md5sum, it's almost trivial to make collosions. mirrors can change packages without having the md5sum changed. with sha1, this is much more difficult
and of course we know that sha1 is not a cryptographical algorithm, either. i plan to came up with an "optional support for gpg signatures" patch, just it's far from complete at the moment
That's what I was thinking about. I know that there was more than enought articles about collisions in MD5 algorithm recently. And I don't think that using more secure hashing algorithm is paranoic. IMHO SHA-512 (which is _not_the_same_ as SHA1) will be right choice. GPG is much more complex to implement. But I see another thread about this is started, so let move there. -- Roman Kyrylych (Роман Кирилич)