On Monday 12 December 2011, Johnny Hughes johnny@centos.org wrote:

There are known Collision Attacks for the MD5SUM method of hashing, so it is possible to modify a file and make it have the same MD5SUM as another file. See this link for details on Collision Attacks:

http://en.wikipedia.org/wiki/Collision_attack

Recommendation from the US-CERT concerning MD5SUM hashes:

http://www.kb.cert.org/vuls/id/836068

Based on the above information, the CentOS team will be using sha256sum (sha-2) and not md5sum to generate future hashes for posting on our e-mail announcements to the CentOS Announce Mailing List.

MD5 is certainly broken, but would it be sufficient to go to sha1sum? According to my quick testing, sha256sum takes twice as long as sha1sum.