Please stop publishing md5sum and sha1sums
Bug #1883272 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CD Images |
Triaged
|
Medium
|
Unassigned |
Bug Description
Please stop publishing md5sum and sha1sums
they are weak, and insecure. We already publish SHA256 and everyone should use that.
information type: | Public → Public Security |
To post a comment you must log in.
Don't we still have documentation directing users to check the md5sums to verify the integrity of their downloads? That needs to be fixed first.
Also if we're not asking users to do complete cryptographic verification with gpg, then checking a stronger hash instead of a weaker one doesn't add any real protection against an attacker because they can MITM both the image and the checksum downloads.