[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Allan McRae allan at archlinux.org
Fri Feb 24 03:29:29 UTC 2017

On 24/02/17 08:59, Giancarlo Razzolini wrote:
> Em fevereiro 23, 2017 19:22 Allan McRae escreveu:
>> On 24/02/17 07:58, Eli Schwartz wrote:
>>> Good luck convincing Allan (you'll *need* it...).
>> Not going to happen...
> Allan,
>        I want to pitch you another line of thought. I followed that
> discussion last year,
>        and I've been following closely the fallout of today's google
> announcement on the
>        "practical" sha1 attack.
>        Anyone who actually read the paper, and got past the
> sensationalism and the hypeness
>        of those vulnerabilities sites (why does everything needs a site
> now?), knows that
>        it doesn't change much for our usage of sha1, or md5 for that
> matter.
>        You argued on the last year's discussion that using stronger
> hashes would gave the
>        a "false sense of security". I don't disagree with that. But I
> want to add that using
>        weaker (if only in keyspace or cryptographically) also creates a
> false sense of
>        *insecurity*.
>        And this people that have this false sense of insecurity, will be
> the same people who
>        will have the false sense of security, regardless of what we do.
> They don't use GPG,
>        nor ever will. They don't care if upstream sign things. All they
> see is: md5, and now
>        sha1, are "broken" and arch should stop using them.
>        With that in mind, using stronger algorithms, would be very easy
> for us (that patch is
>        trivial), wouldn't have any drawbacks (just that stupid people
> would fell "safer"), and
>        would make those same people to stop complaining that we don't
> use strong hashes.
>        I don't see the issue of upstream never signing things changing
> on the near future. So
>        we should either do a bigger change, perhaps even that crc
> proposal of yours, or do this
>        smaller change and use stronger hashes by default.

I find that a terrible argument.


More information about the pacman-dev mailing list