On Sat, 29 Nov 2008 15:00:20 +0100, Thomas Bächler <[EMAIL PROTECTED]> wrote: > If this is to provide any security, we need to stop using md5! md5 is > okay when trying to detect corrupted downloads, however it is possible > to find collisions and thus build a "bad" package that has the same md5 > as the good package.
Well, it should be quite easy to use sha instead. I am not an expert but how easy is it to produce a valid package with the same md5sum? I know that creating "some" file is not hard. -- Pierre Schmitz Clemens-August-Straße 76 53115 Bonn Telefon 0228 9716608 Mobil 0160 95269831 Jabber [EMAIL PROTECTED] WWW http://www.archlinux.de
