Mike Frysinger wrote:
ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're
going to be leaving an insecure format, we might as well keep the one that is
a virtual standard in and of itself (MD5)
-mike
GLEP 44 says:
<snip>
For compability though we have to rely on at least one hash function to
always be present, this proposal suggest to use SHA1 for this purpose
(as it is supposed to be more secure than MD5 and currently only SHA1
and MD5 are directly available in python, also MD5 doesn't have any
benefit in terms of compability).
</snip>
Although the "more secure than MD5" part is now questionable, I suppose
the "directly available in python" part still holds? One point of the
GLEP is to make tree smaller, so why keep more insecure formats when the
room they would occupy can be used for more secure formats like
sha256/512, although those can't be deemed the mandatory ones because
they're not directly in python.
So if both MD5 and SHA1 are now insecure but one of them needs to be the
mandatory one, the question is, is it still harder to crack SHA1 than
MD5? If yes, then just forget MD5.
--
Vlastimil Babka (Caster)
Gentoo/Java
--
gentoo-dev@gentoo.org mailing list
