Ubuntu

provide SHA1SUMS as well as MD5SUMS on cdimage

Bug #33438 reported by sjansen
34
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Fix Released
Wishlist
Colin Watson
Ubuntu
Invalid
Wishlist
Unassigned

Bug Description

Recent Ubuntu flight iso releases still include md5sum files. Other distros appear to be switching to using sha1sums. I am aware of the md5sum.gpg file and that this can be used to avoid the potential vulnerabilities of md5. I think a better solution would be to use sha1sum and include a sha1sum.gpg

Revision history for this message
Colin Watson (cjwatson) wrote :

MD5's collision-resistance is indeed broken, although its second-preimage resistance is not as yet. Given the lack of feasible second-preimage attacks, I don't believe that we yet have to worry about somebody substituting another message that both had the same hash *and* managed to be a valid and installable CD image. We choose to provide MD5 checksums because lots of people have an md5sum utility available even on Windows machines, and I'd like to encourage as many people as possible to perform at least some kind of hash verification (of course they have to have a trust path to my key, but you can't win them all).

It is certainly not true that MD5SUMS.gpg helps you overcome vulnerabilities in the underlying hash in any way. If second-preimage attacks were possible against the underlying hash, then an attacker could substitute another image that would have the same md5sum and thus the same MD5SUMS.gpg.

It would certainly be useful to provide SHA1 checksums as well, although don't kid yourself that it's all that much better than MD5, and I haven't done it yet because the CD image release process is already painfully slow due to md5summing just about the entire world every time it copies images from place to place. Once I improve the speed of that process, I'll be able to provide SHA1SUMS files.

Revision history for this message
Colin Watson (cjwatson) wrote :

Moving bug to ubuntu-cdimage product.

Changed in ubuntu-cdimage:
importance: Undecided → Wishlist
status: Unconfirmed → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

revno: 735
committer: Colin Watson <email address hidden>
branch nick: cdimage
timestamp: Mon 2009-04-20 13:49:53 +0100
message:
  map .img to .raw as well as .iso
------------------------------------------------------------
revno: 734
committer: Colin Watson <email address hidden>
branch nick: cdimage
timestamp: Mon 2009-04-20 13:46:45 +0100
message:
  publish SHA1SUMS files (LP: #33438)
------------------------------------------------------------
revno: 733
committer: Colin Watson <email address hidden>
branch nick: cdimage
timestamp: Mon 2009-04-20 13:38:07 +0100
message:
  copy md5sums around when copying images around, including during release publishing; be more accurate about removing old md5sums that no longer apply

Changed in ubuntu-cdimage:
assignee: nobody → Colin Watson (cjwatson)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.