On Friday 04 May 2007 13:46:12 Open Phugu wrote: > On 5/4/07, John Fiore <[EMAIL PROTECTED]> wrote: > > > Speaking of this, when will the OpenBSD project begin to post SHA256 > > > hashes > > > to the ftp sites. MD5 is dead: these two files are different and yet > > > have the same > > > MD5 hash. > > > http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps > > > http://www.cits.rub.de/imperia/md/content/magnus/order.ps > > > > Great. Could you please show me the link to files that have the same > > length and MD5 as those in the 4.1 release? > > That means nothing. If the OpenBSD project used a CRC16 to verify > integrity, your argument would still hold. What matters is the ease of > finding colliding files. > While finding a file that has the same MD5 as an official file is > hard, it seems > ridiculous, to trust the security of downloaded files using an > algorithm that is > known to be insecure. From a project that has always placed security before > everything, I do not understand the motivation behind not using a secure > algorithm such as SHA-256 or SHA-512.
Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? Note that the ports are using better hashes for 4.1-current. I'll bet that the the 4.2 release will too, because its the right thing to do, but it isn't a flaming emergency. I'm not an expert on this, but I do read. Enlightenment is encouraged if I'm missing something here. --STeve Andre'
