Change Details

Given the recent publication of the [[ https://shattered.it/ | "SHAttered" SHA-1 collision proof ]] by people at Google and the Centrum voor Wiskunde en Informatica in Amsterdam, wouldn't it be legitimate to provide safer checksums than the ones currently provided (MD5 and SHA-1) ? Granted, they've been historically used for that purpose, but now that **//both//** can be collided with legit-looking payloads with the same hash as any given payload, it would probably be best to either provide a third checksum or get rid of these old checksum hashing algos entirely and switch to a third. If anything, we could use algorithms in the SHA-2 family, like sha256 or sha512 (for which `sha256sum` and `sha512sum` packages are available since ubuntu 12.04 « Precise Pangolin ») ; or in the SHA-3 family (for which a unique `sha3sum` package is available since Ubuntu 15.10 « Wily Werewolf », using a command line parameter to choose the exact algorithm and size of the resulting hash). Or even both. Considering we've abandonned sha1 for our SSL/TLS certificates, (as we should have of course), it would make sense to, if not abandon them outright, at least provide safer alternatives for the checksums of dumps we provide.

Given the recent publication of the [[ https://shattered.it/ | "SHAttered" SHA-1 collision proof ]] by people at Google and the Centrum voor Wiskunde en Informatica in Amsterdam, wouldn't it be legitimate to provide safer checksums than the ones currently provided (MD5 and SHA-1) ? Granted, they've been historically used for that purpose, but now that **//both//** can be collided with legit-looking payloads with the same hash as any given payload, it would probably be best to either provide a third checksum or get rid of these old checksum hashing algos entirely and switch to a third. If anything, we could use algorithms in the SHA-2 family, like sha256 or sha512 (for which `sha256sum` and `sha512sum` packages are available since ubuntu 12.04 « Precise Pangolin ») ; or in the SHA-3 family (for which a unique `sha3sum` package is available since Ubuntu 15.10 « Wily Werewolf », using a command line parameter to choose the exact algorithm and size of the resulting hash). Or even both. Considering we've abandonned SHA-1 for our SSL/TLS certificates, (as we should have of course), it would make sense to, if not abandon them outright, at least provide safer alternatives for the checksums of dumps we provide.

Given the recent publication of the [[ https://shattered.it/ | "SHAttered" SHA-1 collision proof ]] by people at Google and the Centrum voor Wiskunde en Informatica in Amsterdam, wouldn't it be legitimate to provide safer checksums than the ones currently provided (MD5 and SHA-1) ? Granted, they've been historically used for that purpose, but now that **//both//** can be collided with legit-looking payloads with the same hash as any given payload, it would probably be best to either provide a third checksum or get rid of these old checksum hashing algos entirely and switch to a third. If anything, we could use algorithms in the SHA-2 family, like sha256 or sha512 (for which `sha256sum` and `sha512sum` packages are available since ubuntu 12.04 « Precise Pangolin ») ; or in the SHA-3 family (for which a unique `sha3sum` package is available since Ubuntu 15.10 « Wily Werewolf », using a command line parameter to choose the exact algorithm and size of the resulting hash). Or even both. Considering we've abandonned sha1SHA-1 for our SSL/TLS certificates, (as we should have of course), it would make sense to, if not abandon them outright, at least provide safer alternatives for the checksums of dumps we provide.