Re: checksum suggestion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tom Horsley wrote:

There is little doubt that sometime soon some fiendish
mathematician somewhere will discover that sha256sum
is really hopelessly broken and only a fool would ever
have used it, then we'll all have to switch to
shaalephnullsum or some such :-).

How about we forestall all this nonsense by creating
a new rpm that just has one symlink in it named

best-sum

Then everyone can just always use the best-sum program
when checking isos, etc and when a new release comes
out, it can come with a new best-sum package that installs
the appropriate symlink to the appropriate actual
checksum tool :-).
I just posted a minuscule one liner in response to Stan's comment in the 'sha256sum' thread, it could be a two liner and include your suggestion. Better yet would be to make the checksum file a shell script which one could source and do the right thing no matter what comes in the future. That would be convenient for easily confused users.
But barring some huge breakthrough in computing power or theory, sha256sum will be safe for decades.
Security note: any checksum is only as secure as the source of the checksum. If you get the checksum from a fedora official site then sha256sum is better than md5sum to protect against deliberate tampering. But if you are checking to catch transmission errors, which are random, then md5sum will catch all but one in billions. In other words, if an evildoer were tampering with the ISO image, they would probably tamper with the checksum you got from the same place, so sha256sum is subject to deliberate attacks from that method.
I think I got my official checksums from the wiki, I did download mine from an official site, I am not a trusting person. ;-) 

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux