Reply to post: Re: md5?

Linux Mint hacked: Malware-infected ISOs linked from official site

Charles 9 Silver badge

Re: md5?

"However, my point that sha1 let alone md5 is frowned upon still stands and doesn't bode well for mint when they don't even use sha1."

It's a compromise. MD5 may not be the best tool in the shed, but for now it's still useful against preimage attacks, it's standard, programs to do it are literally everywhere, and among standard-bearers like SHA, it's the fastest of the lot. And since hashing something big like an ISO takes time, especially with underpowered computers, that can be important in terms of actually using it (for hashing the Nandoid backups on my phone takes nearly as much time as the backup itself—ARM chips have a reputation for being thrifty but wimpy).

Providing an MD5 hash in combination with other hashes allows the user to make the conscious decision to take the quick-but-less-safe MD5 check or opt to use one of the other signature checks, either instead or in addition.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020