Re: [PATCH] use SHA-2 family hash for releases

From: Andreas Stieger <Andreas.Stieger_at_gmx.de>
Date: Fri, 24 Feb 2017 13:45:27 +0100

Hello,

> > Should we keep generating both .sha1 and .sha512 for a transition
> > period?
> >
> IMO this would make sense. At least on Windows there are still several
> tools to verify file integrity which don't support SHA-512 just yet (one
> example [1]). Might pose another burden for some users to verify the
> package integrity (which on Windows isn't a functionality build directly
> into the OS unfortunately).

Not opposed to doing both. Just noting that after reading release.sh, it would seem that the .sha1 is primarily used to double check successful upload and publishing. User verification seems to be a secondary purpose, not least since we publish OpenPGP signatures on the full tarballs anyway.

Andreas
Received on 2017-02-24 13:45:34 CET

This message: [ Message body ]
Next message: Branko Čibej: "Re: Files with identical SHA1 breaks the repo"
Previous message: Andreas Stieger: "Re: Files with identical SHA1 breaks the repo"
In reply to: Stefan Hett: "Re: [PATCH] use SHA-2 family hash for releases"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]