On Wed, 11 Oct 2006 10:57:53 -0500 "Aaron Griffin" <aaronmgriffin@gmail.com> wrote:
b) I don't feel that anything is gained from using sha1sums. md5 is the defacto file integrity check. We're not using md5 as a cryptographic algorithm, we're checking file integrity
I talked to Judd about this one. I'd noticed it while at LinuxTag a couple years back... While, on the surface we use md5sums to check file integrity, during building we use it to verify that two downloads (at different time periods) are the same. In this situation, it's possible to craft a malicious tarball that matches the md5sum but has a different payload. JGC was the one who suggested we use md5sums and sha1sums together because it's much more difficult to craft something malicious that matches both of them. I wrote a patch for makepkg a long time ago, but Judd didn't accept it because sha1sums were a lot longer and looked ugly in a PKGBUILD. Jason