Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Florian Weimer fw at
Sat Jan 3 23:16:03 UTC 2009

> What's the cost to switching to something other than MD5 here,
> though?

Just the general risk of change (sometimes referred to as "bricking").
The changes on the generating side have already been implemented.

Maybe we should include a dummy package entry at the beginning of the
package list, with unpredictable contents.  This should be sufficient
with the current level of cryptanalysis (like most folks, we are
relatively unprotected against second preimage attacks because we
still need to support MD5-only private repositories and OpenPGP V3
signing keys).  It does not solve the problem that MD5 is an outcast
these days, no matter how it is used.

> I agree that users not checking download links is likely more
> probablistic.  But as checking the sums is already entirely a manual
> process, what's the trouble with switching to sha256 now abd stating
> this in the DSA mails?

There are some folks who use scripts to parse the messages.  But as I
said, we are far more likely to drop .deb hashes altogether, probably
as lenny is released.

> I have to admit that hearing that Debian's going to continue moving
> forward with md5 until an unspecified somewhen date in the future is
> a bit disappointing.

Yes, I'd like to zap a magic wand and make all those MD5-only APT
installations go away, but it isn't that easy.

More information about the NANOG mailing list