[pacman-dev] MD5/SHA* why?

Xavier shiningxc at gmail.com
Tue Jul 3 17:46:35 EDT 2007


Oh no, when reading the archives, I forgot to bookmark several
important mails, took me a while to find this one back :
http://www.archlinux.org/pipermail/pacman-dev/2006-October/006029.html
So that's Judd opinion on that matter:
"I never pretended that md5 was for anything security-related.  If we
were trying for security, we would've gone straight to signed
packages.  The md5sum was added to make sure downloaded files weren't
corrupt.

I don't see the point of SHA1 if we're still using it/them for download
validation.  If we want security, then we might as well do it right."


As for my opinion on this, it's exactly the same as Andrew, it
complicates the code for 0 benefit...




More information about the pacman-dev mailing list