On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote: > Package: apt > Version: 0.6.46.4 > Severity: wishlist > > > Collisions for md5 and sha1 were found allready, > so it's likely, that in the nearer future one of them alone won't be > safe enough. > > Since it is harder to find collisions for two checksums than for one, > apt should use both of them at the same time for verifying packages.
There is a sha256 branch in bzr already that should solve this problem in the future. As Colin pointed out, just using both hashes will not improve security. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
