Hello, > > Should we keep generating both .sha1 and .sha512 for a transition > > period? > > > IMO this would make sense. At least on Windows there are still several > tools to verify file integrity which don't support SHA-512 just yet (one > example [1]). Might pose another burden for some users to verify the > package integrity (which on Windows isn't a functionality build directly > into the OS unfortunately).
Not opposed to doing both. Just noting that after reading release.sh, it would seem that the .sha1 is primarily used to double check successful upload and publishing. User verification seems to be a secondary purpose, not least since we publish OpenPGP signatures on the full tarballs anyway. Andreas
