Why are MD5 checksum used for package verification #34
Labels
type/question
Packages users questions
Comments
|
Hello @alphaDev23 , You are right, we must review our hash verification in order to use a more "best practices" algorithm. From my view the best would be SHA-2, right? What do you think about it? let us know and thanks! Regards, |
|
SHA-256 is the checksum algo used by OSSEC (https://www.ossec.net/downloads.html) for users to verify downloads. |
|
We note down your advice, thanks @alphaDev23 . Regards, |
|
Ok @alphaDev23 , finally we are going to use SHA-512 for all our packages. Closing this issue. Further releases will come with SHA-512, thanks @alphaDev23 ! |
|
Thank you for considering the recommendation and making the change. |
|
You are welcome @alphaDev23 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given that there are hashing algos less susceptible to collisions than MD5 (https://www.kb.cert.org/vuls/id/836068) and that Wazuh is software cantered around security, why are MD5 checksums used to verify packages (https://documentation.wazuh.com/current/installation-guide/packages-list/index.html#packages)?
The text was updated successfully, but these errors were encountered: