[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.
grazzolini at archlinux.org
Thu Feb 23 22:59:22 UTC 2017
Em fevereiro 23, 2017 19:22 Allan McRae escreveu:
> On 24/02/17 07:58, Eli Schwartz wrote:
>> Good luck convincing Allan (you'll *need* it...).
> Not going to happen...
I want to pitch you another line of thought. I followed that discussion last year,
and I've been following closely the fallout of today's google announcement on the
"practical" sha1 attack.
Anyone who actually read the paper, and got past the sensationalism and the hypeness
of those vulnerabilities sites (why does everything needs a site now?), knows that
it doesn't change much for our usage of sha1, or md5 for that matter.
You argued on the last year's discussion that using stronger hashes would gave the
a "false sense of security". I don't disagree with that. But I want to add that using
weaker (if only in keyspace or cryptographically) also creates a false sense of
And this people that have this false sense of insecurity, will be the same people who
will have the false sense of security, regardless of what we do. They don't use GPG,
nor ever will. They don't care if upstream sign things. All they see is: md5, and now
sha1, are "broken" and arch should stop using them.
With that in mind, using stronger algorithms, would be very easy for us (that patch is
trivial), wouldn't have any drawbacks (just that stupid people would fell "safer"), and
would make those same people to stop complaining that we don't use strong hashes.
I don't see the issue of upstream never signing things changing on the near future. So
we should either do a bigger change, perhaps even that crc proposal of yours, or do this
smaller change and use stronger hashes by default.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 870 bytes
Desc: not available
More information about the pacman-dev