On Monday 12 December 2011, Johnny Hughes <johnny at centos.org> wrote: > There are known Collision Attacks for the MD5SUM method of hashing, > so it is possible to modify a file and make it have the same MD5SUM > as another file. See this link for details on Collision Attacks: > > http://en.wikipedia.org/wiki/Collision_attack > > Recommendation from the US-CERT concerning MD5SUM hashes: > > http://www.kb.cert.org/vuls/id/836068 > > Based on the above information, the CentOS team will be using > sha256sum (sha-2) and not md5sum to generate future hashes for > posting on our e-mail announcements to the CentOS Announce Mailing > List. MD5 is certainly broken, but would it be sufficient to go to sha1sum? According to my quick testing, sha256sum takes twice as long as sha1sum. -- Yves Bellefeuille <yan at storm.ca> "La Esperanta Civito ne rifuzas anticipe la kunlaboron de erarintoj, se ili konscias pri sia eraro." -- Heroldo Komunikas, n-ro 473.