[Bug 1100295] Re: MD5 is insecure, add modern hashing
Anders Kaseorg
andersk at mit.edu
Fri Jan 8 21:23:45 UTC 2016
No. apt uses the archive’s SHA-256 hashes to verify packages when they
are initially downloaded, but debsums is for re-checking the installed
files after installation, and the only currently available per-file
hashes are MD5.
See https://wiki.debian.org/Sha256sumsInPackages for some prior work in
this area (though it has seen essentially no updates for five years).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
Status in debsums package in Ubuntu:
Confirmed
Status in dpkg package in Ubuntu:
Confirmed
Bug description:
MD5 is insecure due to hash collisions.
Add more modern and reliable hashing algorithms such as SHA-1, SHA-2
or SHA-3.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debsums/+bug/1100295/+subscriptions
More information about the foundations-bugs
mailing list