On Tuesday, July 3, 2012 at 3:45 AM, Tarek Ziadé wrote:

Hash in the RECORD file have nothing to do with making sure the package
is originated from developer X.
Its only purpose is to know if a file on the system was changed

Using sha256 would enable preventing someone from maliciously changing the
file. Similar to how IDS systems capture hashes of binaries to compare against.
Of course someone using the system like this would need to protect the filesystem
storing the RECORD files accordingly.

I also think that switching to sha256 is pretty low cost with minimal (no?) downsides
with some possible upsides. Is there a reason to stay with md5?