On 30 August 2017 at 22:08, Julian Hyde <jh...@apache.org> wrote: > What is the correct forum for discussing release distribution policy? > > Current policy [1] states: > > Every artifact distributed to the public through Apache channels MUST > be accompanied by one file containing an OpenPGP compatible ASCII > armored detached signature and another file containing an MD5 checksum. > > ... > > An SHA checksum SHOULD also be created. > > > MD5 is no longer deemed secure[2]. I think we should remove it from > our releases and mandate SHA256 or SHA512.
Surely the main purpose of the hash is to check that the download has been successful. As such, MD5 is adequate. > Julian > > [1] http://www.apache.org/dev/release-distribution.html#sigs-and-sums > > [2] https://en.wikipedia.org/wiki/Md5sum > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
