On Thu 2019-10-24 11:16:10 +0100, Steve McIntyre wrote: > The vast majority of the usage of MD5 here is for (essentially) > content-addressable storage. Given the context (with a checksum over > the whole image too), this is not such a critical failing.
Is the final checksum over the whole image also MD5, or do we use
something stronger?
Is there a reason that a maintained version shouldn't use SHA256
instead?
From the debian ecosystem perspective, it would be better to publish
only a single set of "content-addressable" digests (hence this bug
report), so whatever that mechanism is might as well also be
cryptographically strong.
--dkg
signature.asc
Description: PGP signature
