Forums » Replicant development »
Added by Thomas Kitchin over 9 years ago
Hi. I was a little surprised at discovering you use MD5 checksums: the images and the tools are all using md5 as far as I can tell. Why not use something like SHA256?
Perhaps md5 isn't the strongest checksum mechanism, but it does the work. The md5sum is there mostly to ensure that there was no error in the download, not really to ensure that the image wasn't modified by a third party in the meantime. Only signatures can ensure that, which a chain of trust on the key: the checksum could be modified just as well as the images.