[Rpm-metadata] MD5 is vulnerable...

[seth vidal]

On Wed, 2005-02-16 at 23:29 -0600, Randy Zagar wrote:
>It's been known for at least a few months that there are 
>block-transposition attacks that can cause collision problems with MD5.  
>This means that it is theoretically possible to construct a new 
>(possibly hostile) file that has the same MD5 checksum as a file that we 
>trust...
>
>Bruce Schneier also reports on his weblog that SHA-1 has been 
>compromised.  The difficulty of cracking SHA-1 checksums has been 
>reduced from "virtually impossible" to "extremely difficult".
>
>In light of this, I'd like to suggest that the xml metadata be modified 
>to include BOTH the MD5 and SHA-1 checksums in the metadata files...  
>Even if someone manages to compromise one signature, it'll be 
>geometrically more difficult to compromise both signatures simultaneously...

not to make light of this but, umm, you're kidding, right?

-sv