Okay. It's true that MD5 hashes have long been considered unsuitable for cryptography related to security such as encrypting passwords and such. And it's true that Fedora has been shipping SHA-256 hashes (found in the appropriate CHECKSUM file
) to verify downloaded ISO files with sha256sum since Fedora 11. lsatenstein should do that, or run the Media Check in Anaconda as recommended above. However, it's also true (or used to be) that Fedora uses MD5 hashes for the Media Check feature of Anaconda.
There is a tiny rpm package named isomd5sum, and a version of it shipped with Fedora 17. That package provides a utility named checkisomd5. It is that utility that Anaconda uses in the Media Check to verify the integrity of the data on a Fedora DVD by generating an MD5 hash for the DVD and comparing it to an MD5 hash embedded in the DVD. Or, at least it used to do this. I haven't used Fedora since version 14, and I'm not going to download the Fedora 17 DVD ISO and burn it to disk just to confirm it still does this. But if anybody else is interested in testing this for Fedora 17, checkisomd5 will (or used to) run the Anaconda Media Check in a terminal as I showed here two years ago...
Nowdays, I use Linux From Scratch exclusively as my Linux "distro", and every single package downloaded in LFS is verified using MD5 hashes. But those hashes are used only to verify the integrity of the transmitted data, not its authenticity. For that, I verify GPG signatures (when they are provided). I find that GPG signatures are provided with only about half of the 500 or so tarballs that I download for a BLFS system.
So MD5 may not be considered secure any more, but there still is a use for MD5 hashes. Even in Fedora 17 (probably). Maybe some curious person will test that.