[EMAIL PROTECTED] (Ludovic Courtès) writes: > BTW, I'd strongly recommend using SHA1 sums (e.g., via `sha1sum', part > of GNU Coreutils) rather than MD5.
Yeah, that's probably best. > See the example at http://www.cits.rub.de/MD5Collisions/ if in > doubt. ;-) Well, they get to choose both texts that have a MD5 collision. Looking at the PostScript source reveals that the texts have been rigged, which should be enough if this goes to court. In our case, an attacker would need to find a second meaningful text that collides with the text that we provide. I guess that is much harder to do. And the tarball is signed with a SHA1 hash anyway. Maybe I should include the signature in the announcement and not a checksum... -- GPG: D5D4E405 - 2F9B BCCC 8527 692A 04E3 331E FAF8 226A D5D4 E405 _______________________________________________ Guile-devel mailing list Guile-devel@gnu.org http://lists.gnu.org/mailman/listinfo/guile-devel
