Re: [dev] Checksums and Sig files for release gzip

From: Mattias Andrée <maandree_AT_kth.se>
Date: Tue, 13 Apr 2021 17:08:31 +0200

On Tue, 13 Apr 2021 16:57:39 +0200
Sagar Acharya <sagaracharya_AT_tutanota.com> wrote:

> Sure, any good signature. SHA512 is stronger than SHA1, MD5 and SHA256. It shouldn't take a second more than others. Why use a weaker checksum?

SHA512 is actually more than twice as fast as SHA256 on 64-bit machines.
(I don't know which is stronger).

I see no point in having checksums at all, except for detecting bitrot.
Signatures are of course good.

> Thanking you
> Sagar Acharya
> https://designman.org
>
>
>
> 13 Apr 2021, 20:15 by daniel.cegielka_AT_gmail.com:
>
> > How/where SHA512 is better than SHA256 or SHA1? I don't see any added
> > value in this. If someone breaks into your server and replace files,
> > may also regenerate check sums (SHA256/512 or SHA3, scrypt etc.). The
> > use of MD5 will be equally (un)safe as SHA512 :)
> >
> > A better solution is e.g. signify from OpenBSD or GnuPG.
> >
> > https://man.openbsd.org/signify
> >
> > Daniel
> >
> > wt., 13 kwi 2021 o 13:36 Sagar Acharya <sagaracharya_AT_tutanota.com> napisał(a):
> >
> >>
> >> Can we have SHA512 checksums and sig files for the release gzips of suckless software?
> >>
> >> Thanking you
> >> Sagar Acharya
> >> https://designman.org
> >>
>
Received on Tue Apr 13 2021 - 17:08:31 CEST

This archive was generated by hypermail 2.3.0 : Tue Apr 13 2021 - 18:12:10 CEST