[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Giancarlo Razzolini grazzolini at archlinux.org
Thu Feb 23 22:59:22 UTC 2017 

Em fevereiro 23, 2017 19:22 Allan McRae escreveu:
> On 24/02/17 07:58, Eli Schwartz wrote:
>> Good luck convincing Allan (you'll *need* it...).
> 
> Not going to happen...
> 

Allan,

        I want to pitch you another line of thought. I followed that discussion last year,
        and I've been following closely the fallout of today's google announcement on the
        "practical" sha1 attack.

        Anyone who actually read the paper, and got past the sensationalism and the hypeness
        of those vulnerabilities sites (why does everything needs a site now?), knows that
        it doesn't change much for our usage of sha1, or md5 for that matter.

        You argued on the last year's discussion that using stronger hashes would gave the
        a "false sense of security". I don't disagree with that. But I want to add that using
        weaker (if only in keyspace or cryptographically) also creates a false sense of
        *insecurity*.

        And this people that have this false sense of insecurity, will be the same people who
        will have the false sense of security, regardless of what we do. They don't use GPG,
        nor ever will. They don't care if upstream sign things. All they see is: md5, and now
        sha1, are "broken" and arch should stop using them.

        With that in mind, using stronger algorithms, would be very easy for us (that patch is
        trivial), wouldn't have any drawbacks (just that stupid people would fell "safer"), and
        would make those same people to stop complaining that we don't use strong hashes.

        I don't see the issue of upstream never signing things changing on the near future. So
        we should either do a bigger change, perhaps even that crc proposal of yours, or do this
        smaller change and use stronger hashes by default.

Cheers,
Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170223/e2ceb9e1/attachment.asc>

More information about the pacman-dev mailing list