Fellow murga uploaders, let's STOP using MD5/SHA1 ;-/

[belham2]

http://www.theregister.co.uk/2016/11/10 ... _analysis/

Look at the above article. It seems Yahoo knew about this breach as early as 2014, and chose to remain quiet (bet their employees sure changed passwords, accounts and/or left to someone more secure). But what is even more ghastly is Yahoo's known reliance on MD5 check sums for "both" file integrity and security checks (notice the paragraph where it discusses Yahoo still using MD5 hash checks).

MD5 & SHA1 are both known to be easily compromised. Could this not be a wakeup call to all puppy OS developers (and offshoots), plus all the package maintainers, here on Murga-Linux? How about a simple move to a minimum of SHA256 or, even better, sha512 check sums for anything uploaded to murga???

I may be wrong, but I've been told that putting sha256 and sha512 sums into ISOs, uploaded files, or whatever, is no harder & takes no more time than putting MD5 or SHA1 sums in. If this is true, it begs the question why is/are MD5/SHA1 sums used by anyone uploading things here?

In fact, if you notice & look around murga, there are a select few murga uploaders who are up to speed with this stuff----all their uploads are either SHA256 and/or SHA512.

Let's make a concerted push here: fellow murga goers, let's get up with the times and STOP using MD5/SHA1 for anything uploaded here whether it is security checks and/or file integrity checks. Start using sha256 or sha512.

Please upvote and/or respond to this thread if you agree (or disagree too---which is curious since a move to SHA256/512, if it actually entails no more effort than MD5/SHA1, is defended).


P.S. And notice that the checksum utilities offered in most pups do all, md5, sha1, sha256, and sha512. The ones that don't, well they are easily modified...I know, I posted in Peebee's threads modifying the checksum in LxPup's with an easy addition of a few lines of code in the script.

[perdido]

it begs the question why is/are MD5/SHA1 sums used by anyone uploading things here?

Out of habit mostly.

Not sure exactly what you are referring to, pet files, iso files, home-made files, etc., stuff on other servers, murga only, or everything under the sun?

Most stuff uploaded here has no checksum accountability whatsoever.
I believe there are md5 checksums in pet files,

As far as changing to sha1 or sha256, easy enough for individual packages to include the checksum in a txt but not sure how to automate
that retroactively in files that have built-in md5, or how to change petget utility to handle different checksums.

I will add this to my to-do list for things I posted here.



.

[dancytron]

I don't think it makes any difference when you are just using the checksum for file integrity. There is nothing to crack. Either the file is good or it isn't. There is nothing for anyone to steal. Checksums are more effective in finding file corruption than just checking that the files are the exact same size, otherwise we'd just do that.

It is totally different if it is being used to keep something secret or for a security check, but in the case of uploaded files it isn't.