Closed Chocobo1 closed 6 years ago
sledgehammer999
commented
6 years ago And since the released binaries are not digitally signed, choosing a good hash is rather important to verify its integrity.
They are gpg signed. But I don't object in using sha256.
Chocobo1
commented
6 years ago They are gpg signed. But I don't object in using sha256.
Me had a brain fart. Thanks for the approval.
Also, on fosshub, the MD5 & SHA1 is still being displayed, although no harm, yet you might want to remove it.
sledgehammer999
commented
6 years ago Also, on fosshub, the MD5 & SHA1 is still being displayed, although no harm, yet you might want to remove it.
It is autogenerated. I'll suggest to them to also calculate the sha256sum.
Chocobo1
commented
6 years ago It is autogenerated. I'll suggest to them to also calculate the sha256sum.
No need, the sha2-256 is already on there. For me, MD5 & SHA1 seems redundant when sha256 is already provided.
@sledgehammer999 I think it's better to deprecate SHA1 now (in favor of SHA2-256), a crafted collision had been found some time ago: https://shattered.io/ And since the released binaries are not digitally signed, choosing a good hash is rather important to verify its integrity.
Also, I added the hashes for tar packages and some style fixes.