[arch-dev-public] Can we trust our mirrors?

Pierre Schmitz pierre at archlinux.de
Sat Nov 29 09:05:12 EST 2008

On Sat, 29 Nov 2008 15:00:20 +0100, Thomas Bächler <thomas at archlinux.org>
> If this is to provide any security, we need to stop using md5! md5 is 
> okay when trying to detect corrupted downloads, however it is possible 
> to find collisions and thus build a "bad" package that has the same md5 
> as the good package.

Well, it should be quite easy to use sha instead. I am not an expert but
how easy is it to produce a valid package with the same md5sum? I know that
creating "some" file is not hard.
Pierre Schmitz

Clemens-August-Straße 76
53115 Bonn

Telefon		0228 9716608
Mobil		0160 95269831
Jabber		pierre at jabber.archlinux.de
WWW		http://www.archlinux.de

More information about the arch-dev-public mailing list