[Slackbuilds-users] sha256sum instead of md5sum?

King Beowulf kingbeowulf at gmail.com
Sat Apr 18 18:04:30 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2015 04:28 PM, Ryan P.C. McQuen wrote:
> Hello fellow Slackers,
> 
> Has this idea ever been bounced around?
> 
> Switch from md5sum to sha256sum for *.info files? Obviously it
> would be a pretty big undertaking, and maybe not really worth it
> ... what are the thoughts of the great minds here?
> 
> Best, Ryan
> 

Since the purpose of our current implementation is to simply verify
that the source download is not corrupted, why not use something fast
and simple, and that is not used in security applications?

I can't find the link ATM, but I read an article a while back warning
of the security threat to creating heaps of public hashes via SHA-2,
etc.  MD5 et al is pretty much dead to security because of its online
prevalence.

All we need is a simple CRC or checksum algorithm with low collision
probability.  For SBo purposes, we aren't concerned with security of
the source, that is upstream's job (e.g. with proper signature file),
so we don't need anything complex, just a simple CRC or checksum.

For example, zlib and rsync use Adler-32.  It has a few security
weaknesses, but as a quick download check?

Or perhaps just simply, cksum, already included in Slackware (CRC32).

Perhaps the question is not "Should we switch from md5sum to
sha256sum?" but rather "Should we switch to a simpler CRC or checksum
algorithm that does not have security implications?"

As always, just me 2 cents...
- -Ed






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlUynKwACgkQXvwMaW61dLexCACgk7lSVdMy/zlsM3rvm4kbiECv
WB4Ani9n5KD7ydctUk/cAdgaPWaz/Tb5
=/gWy
-----END PGP SIGNATURE-----


More information about the SlackBuilds-users mailing list