Arch uses MD5 internally. But MD5 is not weak hash function, it was attacked many times, and recently first practical attack was created:
,---- | Two X-509 certificates with identical MD5 hashes: | <http://www.win.tue.nl/~bdeweger/CollidingCertificates/> | Faster MD5 collisions (eight hours on 1.6 GHz computer): | <http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf> `---- GNU Arch must move away from MD5 ASAP. Using strong crypto like GPG for signing patches is waste of CPU cycles, because signed text is list of MD5 sums. -- Ivan Boldyrev Tragedy of programmers is that computer is wonderful toy and programmers have to use it in their work.
pgpEwaw4pycpn.pgp
Description: PGP signature
_______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
