Ivan Boldyrev <[EMAIL PROTECTED]> writes: [...]
> When you sign a patch, you just sign ./checksum file. But this file > is list of filenames and md5sums: Ah. I assumed it was signing a patch, but I guess that wouldn't be as useful as signing the actual contents of what you end up with after applying the patch. But that still means that the collisions would have to be in the actual contents of individual files. For most applications, I'd guess the opportunities for constructing usefully different pairs of files with collisions would be fairly limited. Not that md5 shouldn't be substituted (indeed, I'm surprised it was used in the first place; are there common platforms where md5sum exists but sha1sum doesn't?), but I'm unconvinced that it's a significant risk. _______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
