[tialaramex]

Rather than "vaguely possible" MD5 collisions are now so easy you can make new ones at home on an ordinary PC in a few seconds, and you can do chosen prefix collision (thus enabling you to pick a "format" and collide within that) in a few hours. Cryptography never gets _less_ broken, only more broken with time.

Now, in this particular scenario (a publisher tells us the MD5 of an image, and we can check it to see we got the image) collision isn't so important. We have to trust you anyway, so we may as well trust you to not collide the hash too. But MD5 is no longer even proof against second pre-image attacks, albeit the best known are as yet impractical. This is really bad news.

MD5 has been known to be irrevocably broken since 2004, and had been expected to fall since the mid to late 1990s). DragonFly BSD was only started in 2003. Why use MD5? Imagine if in 2003 you'd decided to build a 16-bit OS, or one that doesn't do TCP/IP, because after all, in the mid-to-late 1990s that might have seemed fine too...