[CentOS-announce] Using sha256sum instead of md5sum for package checksums
Johnny Hughes
johnny at centos.org
Mon Dec 12 07:39:04 EST 2011
There are known Collision Attacks for the MD5SUM method of hashing, so
it is possible to modify a file and make it have the same MD5SUM as
another file. See this link for details on Collision Attacks:
http://en.wikipedia.org/wiki/Collision_attack
Recommendation from the US-CERT concerning MD5SUM hashes:
http://www.kb.cert.org/vuls/id/836068
Based on the above information, the CentOS team will be using sha256sum
(sha-2) and not md5sum to generate future hashes for posting on our
e-mail announcements to the CentOS Announce Mailing List.
Thanks,
Johnny Hughes
The CentOS Project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos-announce/attachments/20111212/2d12f149/attachment.bin
More information about the CentOS-announce
mailing list