2006/10/12, Cameron Daniel <me@camdaniel.com>:
On Thu, 12 Oct 2006 00:06:44 +0300 "Roman Kyrylych" <roman.kyrylych@gmail.com> wrote:
This won't make the system more secure. Because if somebody has the resources to find a collision in SHA1 then I'm sure he/she/they can do the same with MD5. And if they cannot do this for SHA1 then MD5 doesn't matter.
Only using SHA-512 or public key cryptography really solves security problems with both MD5 and SHA1.
I think you're missing the point here. Using both doesn't just make it as strong as the strongest (sha1 here), sure someone could craft a tarball that matched the md5sum of the original tarball but then finding a sha1 collision and crafting the _same_ tarball to match both is going to be significantly more work if even possible.
Oh, it seems you are right. If didn't think about this issue, it's already 0:45 at my timezone and I'm a bit tired and my head is now working good :-). Nice explanation, BTW.
I'm for using bzip over gzip as well. It's trivial to implement with libarchive and while it adds CPU time, it decreases download size in some cases by a few hundred KB. Net connections still aren't as quick as I'm sure a lot of us would like ha, bzip would probably end up with the slightly quicker install.
Yes, especially for people with slow connections (some users still have dialup at <=33.6K!). -- Roman Kyrylych (Роман Кирилич)