Wouter Verhelst <wou...@debian.org> writes: > Or is it useful to be able to say "if it doesn't check out, it's > certainly corrupt, and if it does check out, it may be corrupt"? Didn't > think so.
I don't understand why you say this. Cryptographic attacks on MD5 aren't going to happen as a result of random file corruption. The MD5 checksums are still very effective at finding file corruption or modification from what's in the Debian package unless that modification was done by a sophisticated attacker (MD5 preimage attacks are still not exactly easy). Detecting compromises is useful, but only a small part of what the MD5 checksums are useful for. I'd more frequently use them to detect well-intentioned but misguided meddling by a local sysadmin. I certainly don't object to replacing them with SHA1 hashes, although signed deb packages would still be my preferred solution to this problem. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874okyuov4....@windlord.stanford.edu
