BTW, for those concerned, there's nothing at the ASF that says you must use only MD5. You can add SHA-1 or any other algorithm if you want. See Ant for example: they've been doing MD5 and SHA-1 side by side for years now (http://ant.apache.org/bindownload.cgi)
Yoav On 12/8/06, Yonik Seeley <[EMAIL PROTECTED]> wrote:
On 12/8/06, Chris Hostetter <[EMAIL PROTECTED]> wrote: > : It _is_ a valid concern in general (I would never use md5 as a > : cryptographic hash, e.g., for passwords), but significantly less of a > : concern for this use. The most important role of the hash is to > : ensure no corruption occurred during transfer. > > Bingo: We checksum the files with MD5, we sign the files with GPG And the standard digital signature content hash is defined to be SHA-1 AFAIK. And yes, someone has managed to find a way to get collisions in SHA1 hashes in less time than it would take to purely guess at random. But let's be serious... for our projects it's going to be far easier and cheaper to circumvent the encryption than break it. When PGP/GPG switch to a different mechanism by default, so will we. -Yonik
