[pacman-dev] $ARCH suffix on packages

Roman Kyrylych roman.kyrylych at gmail.com
Wed Oct 11 16:48:27 EDT 2006


2006/10/11, VMiklos <vmiklos at frugalware.org>:
> > Then why Frugalware guys use it instead of md5 now? What advantages it
> > gives them? I'm just curious.
>
> with md5sum, it's almost trivial to make collosions. mirrors can change
> packages without having the md5sum changed. with sha1, this is much more
> difficult
>
> and of course we know that sha1 is not a cryptographical algorithm,
> either. i plan to came up with an "optional support for gpg signatures"
> patch, just it's far from complete at the moment

That's what I was thinking about. I know that there was more than
enought  articles about collisions in MD5 algorithm recently. And I
don't think that using more secure hashing algorithm is paranoic. IMHO
SHA-512 (which is _not_the_same_ as SHA1) will be right choice. GPG is
much more complex to implement.

But I see another thread about this is started, so let move there.

-- 
Roman Kyrylych (Роман Кирилич)


More information about the pacman-dev mailing list