MD5 checksums for images

Vinzenz Hersche hersche at puzzle.ch
Tue Jan 13 10:10:58 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Pottage schrieb:
> On Mon, January 12, 2009 9:13 pm, Rui Miguel Silva Seabra wrote:
>> On Mon, Jan 12, 2009 at 06:46:35PM +0100, Fernando Martins wrote:
>>
>>> I've downloaded images for om2008.12, FSO and SHR and something
>>> that puzzles me is the lack of MD5 checksums on these
>>> repositories. The sums would just take a couple of minutes to
>>> put there, so I'm wondering if there is some other check going
>>> on by dfu before flashing??
>> Whoever cares about MD5 checksums, nowadays, is putting up a
>> farse, at least demand SHA256 ;)
>
> The point of MD5 checksums is to check for download errors,
> truncated files or the repository maintainer uploading the wrong
> file somehow.
>
> It is not to protect us from black hats who might somehow replace a
>  correct image with a malware infected one. (If they are able to do
> that, they can replace the md5sums file a the same time).
>
> Anyway, MD5 sum checking is done automaticaly in many tools, and
> most people are familiar with the commands to check MD5 sums, so if
> the images come with MD5 sums they will be checked easily. If they
> come with another sort of checksum, it will be harder to check, for
> no real benefit.
>
i think, md5 is enough, but sha256 is better (it's a smaller
possibility that there is a hash double, but when would this happend? :p)
there is enough space and the prozessors are fast, so why didn't use
sha256?

- --
Vinzenz Hersche
Lehrling 2. Lehrjahr

Puzzle ITC GmbH
www.puzzle.ch

Telefon +41 31 370 22 00
Direkt  +41 31 370 22 04
Mobile  +41 78 845 24 12
Fax     +41 31 370 22 01

Puzzle ist Mitglied der Eclipse Foundation:
<http://www.puzzle.ch/eclipse/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklsWpoACgkQK9d7OHUJmA5hQACfRUHgz2LUuIO5+G5EJyrU4ZB/
jvMAni6nY/YbfGpa4Wqvm6mytWuNf7wf
=YSRv
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hersche.vcf
Type: text/x-vcard
Size: 171 bytes
Desc: not available
Url : http://lists.openmoko.org/pipermail/community/attachments/20090113/08a68113/attachment.vcf 


More information about the community mailing list