[arch-dev-public] Can we trust our mirrors?
Pierre Schmitz
pierre at archlinux.de
Sat Nov 29 09:05:12 EST 2008
On Sat, 29 Nov 2008 15:00:20 +0100, Thomas Bächler <thomas at archlinux.org>
wrote:
> If this is to provide any security, we need to stop using md5! md5 is
> okay when trying to detect corrupted downloads, however it is possible
> to find collisions and thus build a "bad" package that has the same md5
> as the good package.
Well, it should be quite easy to use sha instead. I am not an expert but
how easy is it to produce a valid package with the same md5sum? I know that
creating "some" file is not hard.
--
Pierre Schmitz
Clemens-August-Straße 76
53115 Bonn
Telefon 0228 9716608
Mobil 0160 95269831
Jabber pierre at jabber.archlinux.de
WWW http://www.archlinux.de
More information about the arch-dev-public
mailing list