[Gnu-arch-users] MD5 is broken

[Ivan Boldyrev]

Arch uses MD5 internally.  But MD5 is not weak hash function, it was
attacked many times, and recently first practical attack was created:

,----
| Two X-509 certificates with identical MD5 hashes:
| <http://www.win.tue.nl/~bdeweger/CollidingCertificates/>
| Faster MD5 collisions (eight hours on 1.6 GHz computer):
| <http://cryptography.hyperlink.cz/md5/MD5_collisions.pdf>
`----

GNU Arch must move away from MD5 ASAP.  Using strong crypto like GPG
for signing patches is waste of CPU cycles, because signed text is
list of MD5 sums.

-- 
Ivan Boldyrev

                Tragedy of programmers is that computer is wonderful toy
                            and programmers have to use it in their work.

pgptRE2ZZjw9E.pgp
Description: PGP signature