On Tuesday, August 2, 2016 9:31:07 AM CEST Matthew White wrote: > On Sat, 30 Jul 2016 12:01:16 +0200 > > Matthew White <[email protected]> wrote: > > Hello, > > I see that Metalink's checksum verification is limited to sha256. > > > > I cannot find an option to enable md5, sha1, sha384, or sha512. > > > > Attached to this message there is a patch to add md5, sha1, sha384, and > > sha512 computation to the Metalink module. > > > > Let me know what you think. > > Hi, > > After the suggestions of Tim, I changed the patch description. So, scratch > the previous patch and use this one instead. > > I also added support for sha-224 to the Metalink module. > > There are two patches attached, the second one adds support for the > deprecated md2 and md4, since they are insecure I prefer to keep the patch > separated from the main one. > > Do you think it's right to enable md2 and md4? Let me know.
IMO, this is right. I don't see a security issue here - these algorithms are good enough to check the data integrity and that is all we use it for. For authenticity we have TLS and/or the included GPG signature - where we could think about limiting/checking trusted identities only (or interactively ask the user if he knows/trusts the signer). Regards, Tim
signature.asc
Description: This is a digitally signed message part.
