-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why are MD5 checksum used for package verification #34
Comments
Hello @alphaDev23 , You are right, we must review our hash verification in order to use a more "best practices" algorithm. From my view the best would be SHA-2, right? What do you think about it? let us know and thanks! Regards, |
SHA-256 is the checksum algo used by OSSEC (https://www.ossec.net/downloads.html) for users to verify downloads. |
We note down your advice, thanks @alphaDev23 . Regards, |
Ok @alphaDev23 , finally we are going to use SHA-512 for all our packages. Closing this issue. Further releases will come with SHA-512, thanks @alphaDev23 ! |
Thank you for considering the recommendation and making the change. |
You are welcome @alphaDev23 |
Given that there are hashing algos less susceptible to collisions than MD5 (https://www.kb.cert.org/vuls/id/836068) and that Wazuh is software cantered around security, why are MD5 checksums used to verify packages (https://documentation.wazuh.com/current/installation-guide/packages-list/index.html#packages)?
The text was updated successfully, but these errors were encountered: