Re: [Gnu-arch-users] SHA1 sums for checksums file

[Florian Weimer]

Tom Lord wrote:

> (Assuming I do merge in SHA1 support, then) I don't mind leaving md5.c
> linked in.    Is your opinion that md5 security is _so_ bad that
> revisions currently using it should be changes?   Or would it be
> enough to just use sha1 on new revisions?

The design decisions behind SHA (and thus SHA-1) have never been made
public.  It is, however, based on MD4 (like MD5), but uses other methods
than MD5 to counter the (theoretical) attacks that were published for
MD4.

Dobbertin has subsequently shown that attacks equivalent to those on MD4
(which was generally considered insecure, although the known attacks are
just theoretical) are possible on MD5.  Therefore, you probably should
view MD5 as a suboptimal choice (but not dangerously wrong).

My feeling is that you shouldn't introduce MD5 for new protocols and
applications, and use SHA-1 instead, even though MD5 is about twice as
fast as SHA-1.