On Thu, Aug 8, 2013 at 10:21 PM, Wouter Verhelst wou...@debian.org wrote:
On 05-08-13 02:16, Ben Hutchings wrote:
On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
On 03-08-13 13:45, Ondřej Surý wrote:
I think it's useless to upgrade to SHA512 (or SHA-3),
It's never useless to
On 05-08-13 02:16, Ben Hutchings wrote:
On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
On 03-08-13 13:45, Ondřej Surý wrote:
I think it's useless to upgrade to SHA512 (or SHA-3),
It's never useless to upgrade to a stronger hash.
The cost might outweight the benefit, yes. But
On Thu, 2013-08-08 at 22:21 +0200, Wouter Verhelst wrote:
On 05-08-13 02:16, Ben Hutchings wrote:
On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
On 03-08-13 13:45, Ondřej Surý wrote:
I think it's useless to upgrade to SHA512 (or SHA-3),
It's never useless to upgrade to a
Wouter Verhelst wou...@debian.org writes:
Simple mathematics.
To me, a strong hash is a hash for which collisions are unlikely.
A SHA512 hash is longer than a SHA1 hash. Therefore it has more bits.
Therefore it has more possible values, which decreases the likelihood
that two collections
David Kalnischkies wrote:
On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise p...@debian.org wrote:
If so, here is the list of software that probably needs updating:
dak
apt/apt-ftparchive
reprepro
launchpad
dpkg-dev
devscripts
derivatives census
(c)debootstrap
Also, apt-get is forcing MD5 in
Ondřej Surý writes (Re: new hashes (SHA512, SHA3) in apt metadata and .changes
files?):
SHA512 doesn't bring any advantage over SHA256.
AIUI SHA-512 is faster than SHA-256 on many processors, and not
usually slower on the others. If the hashes are too long, they can be
truncated.
Ian
On Mon, Aug 05, 2013 at 01:33:24PM +0100, Ian Jackson wrote:
AIUI SHA-512 is faster than SHA-256 on many processors, and not
usually slower on the others. If the hashes are too long, they can be
truncated.
Not that, I think it matters, but this got me interested. It appears
that in practice
On 03-08-13 13:45, Ondřej Surý wrote:
I think it's useless to upgrade to SHA512 (or SHA-3),
It's never useless to upgrade to a stronger hash.
The cost might outweight the benefit, yes. But that's a different matter.
--
This end should point toward the ground if you want to go to space.
If it
On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
On 03-08-13 13:45, Ondřej Surý wrote:
I think it's useless to upgrade to SHA512 (or SHA-3),
It's never useless to upgrade to a stronger hash.
The cost might outweight the benefit, yes. But that's a different matter.
What makes you
* Paul Wise p...@debian.org [130802 15:54]:
In any case, removing md5 support seems like a bad idea to me right
now, as older software might not have been adapted to check the other
hashes, or would imply breaking the current .dsc and ,changes formats,
as the Files field uses md5.
We've
On Fri, 2013-08-02 at 15:29 +0200, Guillem Jover wrote:
I was wondering if it is time to drop or deprecate MD5 from the apt
metadata and replace it with SHA512 and or SHA-3. Thoughts?
Adding stronger hashes support seems in general like a good idea, but
I've never quite understood the urge
On Sat, Aug 3, 2013 at 12:30 PM, Ian Campbell wrote:
Did debian-devel have not this same conversation not so long ago? I'm
getting that deja vu feeling...
Yes:
http://lists.debian.org/1349911198.3341.117.ca...@fermat.scientia.net
I probably should have searched the archives before posting,
On Fri, Aug 2, 2013 at 8:57 PM, David Kalnischkies
kalnischk...@gmail.comwrote:
On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý ond...@sury.org wrote:
On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise p...@debian.org wrote:
So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
unless
On Sat, Aug 3, 2013 at 1:34 PM, Paul Wise p...@debian.org wrote:
On Sat, Aug 3, 2013 at 12:30 PM, Ian Campbell wrote:
Did debian-devel have not this same conversation not so long ago? I'm
getting that deja vu feeling...
Yes:
On Sat, 03 Aug 2013, Ondřej Surý wrote:
[IANACryptoguy] As far as I understand the MD5 attacks the length doesn't
matter. You just need to pick the package big enough to hold your evil
content and the filling which you use to compute the same MD5 (e.g.
collision vulnerability). I think that
I noted[1] that some derivatives have introduced SHA512 into their
Release files (and probably Packages/etc). I was wondering if it is
time to drop or deprecate MD5 from the apt metadata and replace it
with SHA512 and or SHA-3. Thoughts?
If so, here is the list of software that probably needs
Hi!
On Fri, 2013-08-02 at 14:52:33 +0200, Paul Wise wrote:
I noted[1] that some derivatives have introduced SHA512 into their
Release files (and probably Packages/etc).
This will increase those files (Packages, Sources, etc) by quite a bit,
at least 128 bytes per entry. Is that something we
On Fri, Aug 2, 2013 at 3:29 PM, Guillem Jover wrote:
Adding stronger hashes support seems in general like a good idea, but
I've never quite understood the urge to remove weaker ones in case
these get accumulated instead of replaced, as more hashes should also
in general imply a harder time
On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise p...@debian.org wrote:
If so, here is the list of software that probably needs updating:
dak
apt/apt-ftparchive
reprepro
launchpad
dpkg-dev
devscripts
derivatives census
(c)debootstrap
Also, apt-get is forcing MD5 in --print-uris by default
On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise p...@debian.org wrote:
I noted[1] that some derivatives have introduced SHA512 into their
Release files (and probably Packages/etc). I was wondering if it is
time to drop or deprecate MD5 from the apt metadata and replace it
with SHA512 and or SHA-3.
On Fri, Aug 2, 2013 at 6:33 PM, Ondřej Surý ond...@sury.org wrote:
On Fri, Aug 2, 2013 at 2:52 PM, Paul Wise p...@debian.org wrote:
So, yeah let's drop MD5, but don't introduce neither SHA512 nor SHA-3
unless there's a cryptographical need (there isn't at the moment).
Actually, it might be
21 matches
Mail list logo
