There are known Collision Attacks for the MD5SUM method of hashing, so it is possible to modify a file and make it have the same MD5SUM as another file. See this link for details on Collision Attacks: http://en.wikipedia.org/wiki/Collision_attack Recommendation from the US-CERT concerning MD5SUM hashes: http://www.kb.cert.org/vuls/id/836068 Based on the above information, the CentOS team will be using sha256sum (sha-2) and not md5sum to generate future hashes for posting on our e-mail announcements to the CentOS Announce Mailing List. Thanks, Johnny Hughes The CentOS Project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-announce/attachments/20111212/2d12f149/attachment-0004.sig>