July 3, 2012
10:48 a.m.
On Tuesday, July 3, 2012 at 3:45 AM, Tarek Ziadé wrote:
Hash in the RECORD file have nothing to do with making sure the package is originated from developer X. Its only purpose is to know if a file on the system was changed
Using sha256 would enable preventing someone from maliciously changing the file. Similar to how IDS systems capture hashes of binaries to compare against. Of course someone using the system like this would need to protect the filesystem storing the RECORD files accordingly. I also think that switching to sha256 is pretty low cost with minimal (no?) downsides with some possible upsides. Is there a reason to stay with md5?