Add MD5 for each box.

[flyisland]

It would help to verity if the downloaded file is correct.

[JonTheNiceGuy]

Unfortunately, we rely on people submitting data to us - many have added MD5 sums, but most have not. We're looking to improve things in the way we collate this data in the near-term (See #29 for details), so perhaps incorporating the MD5 sum on that would be good, but it's not something I can see anyone pushing for.

Given most people do vagrant box add {boxname} {boxurl} and that doesn't show an MD5 or SHA1, is this still relevant?

[alexzorin]

cc @JonTheNiceGuy #221

What you're proposing isn't what the OP proposes

You're totally right, I did see that this issue exists later on (got to #221 by a Google search).

but given you're suggesting retrospectively adding this to all 246 boxes, I think we might struggle a bit with it

Not at all, only if authors wish to sign their boxes. People can choose to only use signed boxes if they wish, and it will introduce reputation and trust into the system.

As for md5/sha1 digest vs digital signature well, something is better than nothing. It's true that doing a md5sum is way easier than verifying a PGP signature and the requirement for a PR would link the md5 digest to the github user anyway ... so maybe @flyisland's suggestion is good enough

[JonTheNiceGuy]

I should add, we do actually have a single box (a Fedora image) which lists both it's SHA1 and MD5 sum... perhaps we could encourage that to be the template?

[holms]

@JonTheNiceGuy I'd actually could hash everything we have, and even remove those images, which links are unavailable anymore. But I see that you had few PR's about new template. I'd also vote for new template first. When you'll have new template ready, I'd do cleanup for you. :+1: