Package: ftp.debian.org Hi,
I was really happy to see that the signed Release file now includes MD5, SHA1, and SHA256 hashes for main/installer-*/current/images/MD5SUMS, which allows authenticating the debian-installer images (this was bug #611087). However, as mentioned in the bug, having just MD5SUMS is weak. MD5 only was a bad idea in 2004, and it's really not okay today -- for instance, the textbook I use in my computer and network security class has "Generate an MD5 collision" as one of the end-of-chapter problems [1].
Can you provide SHA256SUMS for the installer images in addition to MD5SUMS, and include them in the Release file too?
Thanks, -- Geoffrey Thomas geo...@mit.edu [1] http://www.schneier.com/book-ce-links.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
