[pacman-dev] $ARCH suffix on packages
Alessio mOLOk' Bolognino
themolok.ml at gmail.com
Wed Oct 11 17:09:30 EDT 2006
On 22:58 Wed 11 Oct , Alessio 'mOLOk' Bolognino wrote:
> On 23:48 Wed 11 Oct , Roman Kyrylych wrote:
> > 2006/10/11, VMiklos <vmiklos at frugalware.org>:
> > > > Then why Frugalware guys use it instead of md5 now? What advantages it
> > > > gives them? I'm just curious.
> > >
> > > with md5sum, it's almost trivial to make collosions. mirrors can change
> > > packages without having the md5sum changed. with sha1, this is much more
> > > difficult
> > >
> > > and of course we know that sha1 is not a cryptographical algorithm,
> > > either. i plan to came up with an "optional support for gpg signatures"
> > > patch, just it's far from complete at the moment
> >
> > That's what I was thinking about. I know that there was more than
> > enought articles about collisions in MD5 algorithm recently. And I
> > don't think that using more secure hashing algorithm is paranoic. IMHO
> > SHA-512 (which is _not_the_same_ as SHA1) will be right choice. GPG is
> > much more complex to implement.
> >
> > But I see another thread about this is started, so let move there.
> >
> > --
> > Roman Kyrylych (Роман Кирилич)
>
> Why don't use both md5 and sha1 ? I don't mean md5 OR sha1, but md5 AND
> sha1. _I_think_ it's virtually impossible to fuck two different hash
> algorithm.
>
> P.s.
> I'm just an arch user :)
>
Ok somebody else already said that, I didn't read the whole ml archive.
--
Alessio 'mOLOk' Bolognino
More information about the pacman-dev
mailing list