CentOS announce - Dec 2011 - Using sha256sum instead of md5sum for package checksums

There are known Collision Attacks for the MD5SUM method of hashing, so
it is possible to modify a file and make it have the same MD5SUM as
another file.  See this link for details on Collision Attacks:

http://en.wikipedia.org/wiki/Collision_attack

Recommendation from the US-CERT concerning MD5SUM hashes:

http://www.kb.cert.org/vuls/id/836068

Based on the above information, the CentOS team will be using sha256sum
(sha-2) and not md5sum to generate future hashes for posting on our
e-mail announcements to the CentOS Announce Mailing List.

Thanks,
Johnny Hughes
The CentOS Project

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos-announce/attachments/20111212/2d12f149/attachment-0005.sig>

On Monday 12 December 2011, Johnny Hughes <johnny at centos.org> wrote:
> There are known Collision Attacks for the MD5SUM method of hashing,
>  so it is possible to modify a file and make it have the same MD5SUM
>  as another file.  See this link for details on Collision Attacks:
> 
> http://en.wikipedia.org/wiki/Collision_attack
> 
> Recommendation from the US-CERT concerning MD5SUM hashes:
> 
> http://www.kb.cert.org/vuls/id/836068
> 
> Based on the above information, the CentOS team will be using
>  sha256sum (sha-2) and not md5sum to generate future hashes for
>  posting on our e-mail announcements to the CentOS Announce Mailing
>  List.
MD5 is certainly broken, but would it be sufficient to go to sha1sum? 
According to my quick testing, sha256sum takes twice as long as sha1sum.

-- 
Yves Bellefeuille <yan at storm.ca>
"La Esperanta Civito ne rifuzas anticipe la kunlaboron de erarintoj, se
ili konscias pri sia eraro." -- Heroldo Komunikas, n-ro 473.