bug#6789: MD5 is broken

[Pádraig Brady]

On 14/08/10 18:19, Bruno Haible wrote:
> Hi Pádraig,
> 
>> I also removed the addition to --help
>> (and consequently the man page), as I think it's overkill.
> 
> It's common to list important issues with a program or function
> in the BUGS section of the manual page. For example,
> 
>   $ man 3 tempnam
>   ...
>   BUGS
>   ...
>          Never use this function.  Use mkstemp(3) or tmpfile(3) instead.
> 
> In particular if the use of a program may have severe security implications,
> I would expect to know about it from the manual page.

OK cool. I was thinking that warnings would be more appropriate
in library docs rather than the user util, but I will add
the warning to BUGS in man/md5sum.x and leave --help unchanged.

>> If we were to add something to --help it should
>> probably be also done for sha1sum
> 
> The attacks on SHA-1 are less advanced than those on MD5, currently.
> But if you would warn against use of SHA-1 also, please go ahead.
> 
>> commit 4caf1adec8e6ce0cb7ab75365ab312411b2d47bd
>> Author: Bruno Haible <address@hidden>
>> Date:   Tue Aug 10 01:56:36 2010 +0100
>>
>>     doc: improve the info on md5sum security weaknesses
>>
>>     * doc/coreutils.texi (md5sum invocation): Mention currently known
>>     security problems. Don't recommend SHA-1 as alternative.
>>     Reported by Simon Josefsson
> 
> You haven't pushed this so far, I think?

I only added it to my local queue in case there was
feedback on my amendments. I will apply the update now.

thanks,
Pádraig.