On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý <ond...@sury.org> wrote: > On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise <p...@debian.org> wrote: > So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3 > unless there's a cryptographical need (there isn't at the moment).
Actually, it might be less controversial to drop SHA1[0] as the MD5 has fieldnames (as Guillem already mentioned) which are probably assumed to be present. I have not check(-ETIME) that for APT now, but somehow I would be surprised if it wouldn't dislike (some) missing MD5 sections even if it isn't using the sections for providing MD5, but because they have a wonderfully stable name like "Files". Its not like we are anywhere near to a "cryptographical need" to drop MD5 (as you have to do (at least) two pre-image attacks in a row with the same file (aka compressed and uncompressed) – and as a bonus, the filesize has to match as well – not to mention that the file has to make sense…) and at the time we do SHA1 is probably not an interesting candidate. Best regards David Kalnischkies [0] expect in pdiffs as that is the only supported in there so far -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAAZ6_fBiOFv-S�tVvZ=Y+UJbNBCcd64f�vp7ybnkvos...@mail.gmail.com
