(slightly OT) SHA-1 checksums to be replaced with something better at https://gnupg.org/download/integrity_check.html ?

Peter Lebbing peter at digitalbrains.com
Thu Mar 17 21:19:15 CET 2016


On 17/03/16 19:01, Daniel Villarreal wrote:
> Clarifications and updates on APT + SHA1 
> https://juliank.wordpress.com/2016/03/15/clarifications-and-updates-on-apt-sha1/
> "...note that SHA1 support is not dropped, we merely do not consider
> it trustworthy."

This page then continues:

> This means that it feels like SHA1 support is dropped, because 
> sources without SHA2 won’t work; but the SHA1 signatures will still 
> be used in addition to the SHA2 ones, so there’s no point removing 
> them (same for MD5Sum fields).

So, if I understand correctly, they intend to verify SHA2 checksums, and
/also/ verify SHA1 checksums and MD5 checksums ("will be used in
addition"). That's just overkill. Do you trust SHA2? Yes? Go with it.
No? Stop using it. Don't "augment its reliability" with other checksums,
especially MD5. That's wringing a poor snake for its oil... Although
probably no snakes where harmed in the process.

All the on-topicness has already been dealt with adequately, IMHO.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list