[pacman-dev] MD5/SHA* why?
Xavier
shiningxc at gmail.com
Thu Jul 5 18:20:00 EDT 2007
On Thu, Jul 05, 2007 at 02:06:09PM -0700, Jason Chu wrote:
>
> I was the main person pushing for this and it was mostly for the malicious
> downloads.
>
> It's not the package downloading that I was worried about as much as the
> source tarballs. We use md5sums to make sure that the tarball we
> downloaded building the package is the same as the tarball that the
> developer used when they built the package. If someone gets access to the
> upstream's server, we're using the md5sum to trust files over time.
>
Oh I see.
But what I am really wondering is why combining two existing algorithms
that have flaws instead of using one for which no flaw has been found yet ?
Isn't it both less secure and more complicated ?
More information about the pacman-dev
mailing list