Announcement

**ElectricPrism** · 27 February 2017, 04:19 PM

Well, is Mir using it to encrypt data or to ensure binary integrity.

Imy with Linus in that binary integrity is not effected by SHA1 being imperfect.

It be like throwing away a shovel just because it can't dig molten lava. A shovel is not intended for that purpose.

**starshipeleven** · 27 February 2017, 04:56 PM

Originally posted by ElectricPrism View Post

Well, is Mir using it to encrypt data or to ensure binary integrity.

Micheael linked the article about "Mir Cookies" in his article.
Mir's cookie library is explained as, "a simple mechanism for a group of cooperating processes to hand out and verify difficult-to-forge timestamps to untrusted 3rd parties."

That's a security feature, therefore SHA1 is definitely a nope here.

**curfew** · 27 February 2017, 05:12 PM

Originally posted by ElectricPrism View Post

Well, is Mir using it to encrypt data or to ensure binary integrity.

Imy with Linus in that binary integrity is not effected by SHA1 being imperfect.

Erm, the only purpose for hashing algorithms (like SHA family) is verification of integrity. They are one-way functions that transform input data into a random pattern of a fixed length but without the possibility of 'extracting' the original data in any way. I imagine any use of SHA-1 hashes will cause sort of a vulnerability but you have to then decide whether or not that vulnerability is feasible in practical terms. Like Linus reasoned it with Git: the point of SHA-1 hashes is not to make Git secure per se but to achieve basic level of integrity verification (against non-intentional corruptions).

**uid313** · 27 February 2017, 05:48 PM

What about apt-get, synaptic, snap, GNOME Software, PackageKit, and Flatpak?

**carewolf** · 27 February 2017, 06:07 PM

That's a bit late. SHA1 has been known to be weak and about to break for a long time. Not critical enough to need immediate replacement, but why would anyone use it in new code?

**franglais125** · 27 February 2017, 06:17 PM

Originally posted by uid313 View Post

What about apt-get, synaptic, [...]

As for apt (and synaptic I guess): SHA1 is "untrusted" and "unusable" [1], but you can use it if you want. My guess is you'll have to specifically enable it, so it's on you if you have a security vulnerability.

[1] "Do not consider SHA1 usable" March 2016, https://tracker.debian.org/media/pac...ngelog-1.4~rc2

**starshipeleven** · 27 February 2017, 06:20 PM

Originally posted by uid313 View Post

What about apt-get, synaptic, snap, GNOME Software, PackageKit, and Flatpak?

apt-get, zypper, yum support SHA256 already since a while, GNOME Software, Synaptic and packagekit are just front-ends (GNOME software is a frontend for packagekit that is a frontend for the distro's package manager, I WANT MORE ABSTRACTIONS HERE, ADD THEM PLX), flatpack supports SHA256, dunno about snap but I would be surprised if it's different.

Also LEDE has migrated to SHA256 recently from MD5 that was what was used in OpenWRT's latest release (a year ago).

**darkbasic** · 27 February 2017, 08:21 PM

SHA1 was perfect for Mir: a soon-to-be-dead checksumming algorithm for a soon-to-be-dead display server. Such a pity they decided to move to sha256

**sarmad** · 27 February 2017, 08:35 PM

This is the first time I read the words "Mir" and "quick" in the same sentence.

Announcement

With SHA1 Proven Unsafe, Ubuntu's Mir Switches From SHA1 To SHA256

With SHA1 Proven Unsafe, Ubuntu's Mir Switches From SHA1 To SHA256

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment