[pacman-dev] md5sum's aren't used as cryptographic algorithm? (was: $ARCH suffix on packages)

Roman Kyrylych roman.kyrylych at gmail.com
Wed Oct 11 17:47:30 EDT 2006

2006/10/12, Cameron Daniel <me at camdaniel.com>:
> On Thu, 12 Oct 2006 00:06:44 +0300
> "Roman Kyrylych" <roman.kyrylych at gmail.com> wrote:
> > This won't make the system more secure.
> > Because if somebody has the resources to find a collision in SHA1 then
> > I'm sure he/she/they can do the same with MD5.
> > And if they cannot do this for SHA1 then MD5 doesn't matter.
> >
> > Only using SHA-512 or public key cryptography really solves security
> > problems with both MD5 and SHA1.
> I think you're missing the point here. Using both doesn't just make it
> as strong as the strongest (sha1 here), sure someone could craft a
> tarball that matched the md5sum of the original tarball but then
> finding a sha1 collision and crafting the _same_ tarball to match both
> is going to be significantly more work if even possible.

Oh, it seems you are right. If didn't think about this issue, it's
already 0:45 at my timezone and I'm a bit tired and my head is now
working good :-). Nice explanation, BTW.

> I'm for using bzip over gzip as well. It's trivial to implement with
> libarchive and while it adds CPU time, it decreases download size in
> some cases by a few hundred KB. Net connections still aren't as quick
> as I'm sure a lot of us would like ha, bzip would probably end up with
> the slightly quicker install.

Yes, especially for people with slow connections (some users still
have dialup at <=33.6K!).

Roman Kyrylych (Роман Кирилич)

More information about the pacman-dev mailing list