On Wed, 30 Aug 2017, Julian Hyde wrote:
Date: Wed, 30 Aug 2017 14:08:42 -0700
From: Julian Hyde <jh...@apache.org>
To: general@incubator.apache.org
Subject: Digests in releases
What is the correct forum for discussing release distribution policy?
MD5 is no longer deemed secure[2]. I think we should remove it from
our releases and mandate SHA256 or SHA512.
Agree ; we should not require or recommend MD5.
IMHO, discussions about "MD5 can be used for X but not for Y"
are a waste of time ; they never stop en convince nobody.
It is better to adopt something that we can agree on.
What can we agree on ?
-- SHA-1 : not as bad as MD5, but no longer considered secure
by some ; https://en.wikipedia.org/wiki/SHA-1 ; skip
-- SHA-256 : fine
-- SHA-512 : fine
So, I would suggest we pick SHA-256.
Julian
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
