> On May 19, 2018, at 5:34 AM, Emmanuel Bourg <ebo...@apache.org> wrote: > On 18/05/2018 17:30, Gary Gregory wrote: > >> Thoughts? > > I wouldn't bother. The checksum is just there to ensure the download worked > properly, and for this even md5 is fine. > > The authenticity of the artifacts is ensured by the GPG signatures. > > Emmanuel Bourg
True, but there's a considerable portion of users who check the checksums and nothing else. ajs6f --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org