Closed alexvong243f closed 2 years ago
cbm755
commented
2 years ago good idea, xref #1155
Note that the backend to pkg install -forge symbolic which is https://github.com/gnu-octave/packages/pull/128 uses (or at least lists sha256) so for now I'll just list that too under release.
alexvong243f
commented
2 years ago Great. I think we should even drop the MD5 checksum in https://github.com/cbm755/octsympy/releases/tag/v3.0.0
Basically, there're 2 cases. For those who know the problem of MD5 checksum, they will choose the SHA-256 checksum. For those who don't know the problem of MD5 checksum, we don't want them to accidently choose the insecure MD5 checksum.
I don't see any reason to keep MD5 checksum unless it's for compat (but I cannot think of any automatic tools relying on this behaviour)
In https://github.com/cbm755/octsympy/releases/tag/v3.0.0 we are still using MD5 but MD5 has been considered broken for more than 10 years https://crypto.stackexchange.com/questions/2994/what-is-the-recommended-replacement-for-md5
~I suggest we replace it with SHA-384 or BLAKE2b-512, both are available out of the box as shell commands:
sha384sumandb2sum~ Using SHA-256 for integrity check is good enough if it's what we've already got!