[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.
Allan McRae
allan at archlinux.org
Fri Feb 24 03:29:29 UTC 2017
On 24/02/17 08:59, Giancarlo Razzolini wrote:
> Em fevereiro 23, 2017 19:22 Allan McRae escreveu:
>> On 24/02/17 07:58, Eli Schwartz wrote:
>>> Good luck convincing Allan (you'll *need* it...).
>>
>> Not going to happen...
>>
>
> Allan,
>
> I want to pitch you another line of thought. I followed that
> discussion last year,
> and I've been following closely the fallout of today's google
> announcement on the
> "practical" sha1 attack.
>
> Anyone who actually read the paper, and got past the
> sensationalism and the hypeness
> of those vulnerabilities sites (why does everything needs a site
> now?), knows that
> it doesn't change much for our usage of sha1, or md5 for that
> matter.
>
> You argued on the last year's discussion that using stronger
> hashes would gave the
> a "false sense of security". I don't disagree with that. But I
> want to add that using
> weaker (if only in keyspace or cryptographically) also creates a
> false sense of
> *insecurity*.
>
> And this people that have this false sense of insecurity, will be
> the same people who
> will have the false sense of security, regardless of what we do.
> They don't use GPG,
> nor ever will. They don't care if upstream sign things. All they
> see is: md5, and now
> sha1, are "broken" and arch should stop using them.
>
> With that in mind, using stronger algorithms, would be very easy
> for us (that patch is
> trivial), wouldn't have any drawbacks (just that stupid people
> would fell "safer"), and
> would make those same people to stop complaining that we don't
> use strong hashes.
>
> I don't see the issue of upstream never signing things changing
> on the near future. So
> we should either do a bigger change, perhaps even that crc
> proposal of yours, or do this
> smaller change and use stronger hashes by default.
>
I find that a terrible argument.
A
More information about the pacman-dev
mailing list