[Slackbuilds-users] Retire MD5 for SHA256

David O'Shaughnessy lists at osh.id.au
Fri Aug 10 06:50:19 UTC 2018


Hi everyone, since SBo relies on maintainers to individually verify the
authenticity of source archives (i.e., check the signature and provide a
checksum), the user's link to upstream verification rests on the SBo
published checksum. Given that MD5 is badly broken, would it not be more
prudent to publish a SHA256 instead?

I understand that MD5 is useful for checking for unintentionally
corrupted downloads, but it seems to leave open the possibility for a
subsequently maliciously altered archive (i.e., one that uses hash
collisions to produce the same MD5, but which would fail a GPG signature
check).

Perhaps something to consider for the 15.0 set?

https://en.wikipedia.org/wiki/MD5
http://www.stopusingmd5now.com/home

--
Dave


More information about the SlackBuilds-users mailing list