[pacman-dev] $ARCH suffix on packages

Alessio mOLOk' Bolognino themolok.ml at gmail.com
Wed Oct 11 16:58:38 EDT 2006

On 23:48 Wed 11 Oct     , Roman Kyrylych wrote:
> 2006/10/11, VMiklos <vmiklos at frugalware.org>:
> > > Then why Frugalware guys use it instead of md5 now? What advantages it
> > > gives them? I'm just curious.
> >
> > with md5sum, it's almost trivial to make collosions. mirrors can change
> > packages without having the md5sum changed. with sha1, this is much more
> > difficult
> >
> > and of course we know that sha1 is not a cryptographical algorithm,
> > either. i plan to came up with an "optional support for gpg signatures"
> > patch, just it's far from complete at the moment
> That's what I was thinking about. I know that there was more than
> enought  articles about collisions in MD5 algorithm recently. And I
> don't think that using more secure hashing algorithm is paranoic. IMHO
> SHA-512 (which is _not_the_same_ as SHA1) will be right choice. GPG is
> much more complex to implement.
> But I see another thread about this is started, so let move there.
> -- 
> Roman Kyrylych (Роман Кирилич)

Why don't use both md5 and sha1 ? I don't mean md5 OR sha1, but md5 AND
sha1. _I_think_ it's virtually impossible to fuck two different hash

I'm just an arch user :)

Alessio 'mOLOk' Bolognino

More information about the pacman-dev mailing list