On Thu, Feb 23, 2017 at 03:44:13PM +0100, minek van wrote: > fyi, > > https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html > https://shattered.it/
Talking from the ports side, ports and packages moved to SHA256 back in 2007/2008. Ports distinfo made it the only default in 2007, and pkg tools moved straight from md5 to sha1. Every article relating the break of md5 made it obvious sha1 was based on the same concepts, and it was just a matter of time until it broke too. (As far as I know, the SHA-256 family is different enough from SHA-1 that the same mathematical basis to the attack don't apply, plus the fact it lives in a substantially larger problem space) The md5 break forced us to make all this somewhat algorithm-independent, so if/whenever sha256 becomes brittle, moving to something else will be very painless.
