[Slackbuilds-users] Retire MD5 for SHA256
David O'Shaughnessy
lists at osh.id.au
Fri Aug 10 06:50:19 UTC 2018
Hi everyone, since SBo relies on maintainers to individually verify the
authenticity of source archives (i.e., check the signature and provide a
checksum), the user's link to upstream verification rests on the SBo
published checksum. Given that MD5 is badly broken, would it not be more
prudent to publish a SHA256 instead?
I understand that MD5 is useful for checking for unintentionally
corrupted downloads, but it seems to leave open the possibility for a
subsequently maliciously altered archive (i.e., one that uses hash
collisions to produce the same MD5, but which would fail a GPG signature
check).
Perhaps something to consider for the 15.0 set?
https://en.wikipedia.org/wiki/MD5
http://www.stopusingmd5now.com/home
--
Dave
More information about the SlackBuilds-users
mailing list