On Sun, Aug 26, 2012 at 5:20 PM, Pedro Giffuni <p...@apache.org> wrote: > BTW, > > ----- Original Message ----- > ... >>> >>> This is already part of the current process. The signatures are in >> download_external_dependencies.pl. The Central Maven Repository uses these as >> well. >>> >> >> Those are MD5 hashes, not signatures. MD5 has been broken since 1996: >> >> http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities >> > > We can simply replace MD5 with SHA256 (Apache-Extras > generates SHA1). >
Good enough for Bitcoins... > Pedro.