Feature added by: Thomas Biege (thomasbiege) Feature #306519, revision 1 Title: rpm support for new digest openSUSE-11.2: New Priority Requester: Important Requested by: Thomas Biege (thomasbiege) Partner organization: openSUSE.org Description: The signed rpm file is the only line of defense we have to protect our packages against tampering while in transit from us to the user/customer. This line gets thinner because the successful attacks against SHA1 and MD5 continue and tools exists that allow easy manipulation since about a year. The good news is that we use MD5 and SHA1 together and not one of this weak algorithms alone. It is only a matter of time until somebody will be able to create a rpm file that fooles MD5 as well as SHA1. If this happens the rpm files of already released and still supported products are vulnerable to manipulation. rpm version 4.6.0 was released this month and support alternative algorithms. We should switch to this version as early as possible to avoid uneccesary costs in the future. Business case (Partner benefit): openSUSE.org: Example: Crypto-analysis scientists improve their attacks and will be able to bypass MD5/SHA1 (hybrid) signatures at 2012. This means we have to adapt rpm, zypp and other tools to support SHA256 bring this new base utils to the customer and re-release the packages with a new signature. Additionally we run in a hen-egg-problem because with the vulnerable libzypp/rpm tools at the client system it is not possible to guarantee the integrity of the new libzypp/rpm packages. This will cause trouble and will cost valueable time. The risk and cost rises the longer we wait because more prodcuts will be affected more likely. Therefore it would be good to adapt the new rpm version for 11.2. If it is too late to make this change it would be wise to deliver the new tools (rpm 4.6.0, what else?) additionally to the tools we need now to avoid the hen-egg-problem. -- openSUSE Feature: https://features.opensuse.org/306519