[pacman-dev] MD5/SHA* why?
Andrew Fyfe
andrew at neptune-one.net
Wed Jul 4 18:36:55 EDT 2007
Xavier wrote:
> Oh no, when reading the archives, I forgot to bookmark several
> important mails, took me a while to find this one back :
> http://www.archlinux.org/pipermail/pacman-dev/2006-October/006029.html
> So that's Judd opinion on that matter:
> "I never pretended that md5 was for anything security-related. If we
> were trying for security, we would've gone straight to signed
> packages. The md5sum was added to make sure downloaded files weren't
> corrupt.
>
> I don't see the point of SHA1 if we're still using it/them for download
> validation. If we want security, then we might as well do it right."
>
>
> As for my opinion on this, it's exactly the same as Andrew, it
> complicates the code for 0 benefit...
I fully agree with Judd's comment, using MD5 or SHA1 for security is
plain stupid all we went a checksum for is a basic check that the
package we've downloaded isn't corrupt. What are the odds you could
download a corrupt package with the same checksum as the valid package?
My preference would be to stick with 1 checksum (preferably MD5 as
that's what's mainly used in Arch at the moment), and remove the other
to simplify the code.... K.I.S.S.
Andrew
More information about the pacman-dev
mailing list