[pacman-dev] md5sum's aren't used as cryptographic algorithm? (was: $ARCH suffix on packages)

Cameron Daniel me at camdaniel.com
Wed Oct 11 17:47:40 EDT 2006


On Thu, 12 Oct 2006 00:06:44 +0300
"Roman Kyrylych" <roman.kyrylych at gmail.com> wrote:
 
> This won't make the system more secure.
> Because if somebody has the resources to find a collision in SHA1 then
> I'm sure he/she/they can do the same with MD5.
> And if they cannot do this for SHA1 then MD5 doesn't matter.
> 
> Only using SHA-512 or public key cryptography really solves security
> problems with both MD5 and SHA1.

I think you're missing the point here. Using both doesn't just make it
as strong as the strongest (sha1 here), sure someone could craft a
tarball that matched the md5sum of the original tarball but then
finding a sha1 collision and crafting the _same_ tarball to match both
is going to be significantly more work if even possible.

I'm for using bzip over gzip as well. It's trivial to implement with
libarchive and while it adds CPU time, it decreases download size in
some cases by a few hundred KB. Net connections still aren't as quick
as I'm sure a lot of us would like ha, bzip would probably end up with
the slightly quicker install.

  - Cameron




More information about the pacman-dev mailing list