Matthew Burgess wrote: > [EMAIL PROTECTED] wrote: > >> According to this:- http://en.wikipedia.org/wiki/Md5 and a number of >> articles >> I've seen on Slashdot, MD5 is apparently no longer entirely >> secure...there's a >> story on /. at the moment actually about Microsoft dropping MD5 for >> use in >> Vista. >> >> Should we possibly start considering something else? > > > In what context? For hashing our own tarballs? Or do you mean not > installing md5sum(1) and the like? If the former, I agree though I > don't see it as an urgent issue to deal with. If the latter, I disagree > on the basis of the fact that there's lots of files out there that have > only been signed with MD5, and that algoritim is surely better than no > verification procedure at all.
MD5 is just fine when checking things for integrity. I wouldn't use it for top secret documents, but for our purposes it is fine. If an original developer thinks it is that much of an issue, they can use digital signitures to validate integrity. I'd like to note that although there are advancing issues with md5sums, it is *not* trivial to create an identical md5sum in different files. Whenever addressing a security issue, you also have to consider the risk. I believe the idea of creating a trojan in a *source* package is not really practical. First, it would be found relatively quickly. Second, relatively few people, in absolute terms, build from source. Third, it would be very hard to do. Another alternative to using md5sums to check the integity of a system is to use sha1sums in addition to md5sums. It is not comptationsally feasable to produce two files that have the same md5sum *and* sha1sum. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
