[Bug 1100295] Re: MD5 is insecure, add modern hashing

[Seth Arnold]

I marked it "wontfix" because it seems to most accurately reflect the
state of things; the Ubuntu security team does not have resources to
propose these kinds of changes for dpkg, and considering the threat
model that debsums/dpkg's file md5sums are designed to address, it's
easy to see why no one else has provided patches for this yet either.

It's just not a common threat model: assume that an adversary can
overwrite something important but *not* the database or the tools that
maintain it or the libraries and kernel needed by those tools.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1100295

Title:
  MD5 is insecure, add modern hashing

Status in Ubuntu GNOME:
  Invalid
Status in debsums package in Ubuntu:
  Won't Fix
Status in dpkg package in Ubuntu:
  Won't Fix

Bug description:
  MD5 is insecure due to hash collisions.

  Add more modern and reliable hashing algorithms such as SHA-256 or
  SHA-512.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-gnome/+bug/1100295/+subscriptions