Re: [Gnu-arch-users] SHA1 sums for checksums file

[Colin Walters]

On Tue, 2004-01-06 at 11:10, Tom Lord wrote:

> We should be able to eliminate that limitation, I think.

I have done so as of patch-2 in my archive:

address@hidden
  tla
    tla--mainline
      tla--mainline--1.2

[...]
        patch-2
          fix some bugs, and only validate SHA1 checksums if available 
[COMPATIBLE AGAIN]

> (Assuming I do merge in SHA1 support, then) I don't mind leaving md5.c
> linked in.  

As I mentioned in the patch log, we *also* use MD5 sums.  

>   Is your opinion that md5 security is _so_ bad that
> revisions currently using it should be changes?   

It's probably not critical.  The attacks against MD5 found so far aren't
quite practical, but they're still close enough to give little
confidence that no such attack will be found.

> Or would it be
> enough to just use sha1 on new revisions?

I'd prefer to use both.

signature.asc
Description: This is a digitally signed message part