Actually our project (Apache OpenMeetings) uses sha256 many releases .... And it was discussed in members list, I believe it is ok to switch. Or maybe you can have 3 signatures for certain period of time
WBR, Maxim (from mobile, sorry for the typos) On Feb 4, 2017 20:18, "Andrea Del Bene" <an.delb...@gmail.com> wrote: > > > On 04/02/2017 02:00, Maxim Solodovnik wrote: > >> +1 (non -binding) >> >> tested: >> 1) signature sha >> 2) build from sources >> 3) our main application >> >> PS Maybe it's time to change sha1 to something stronger? sha256 for ex.? >> > That's an hot topic :-). Martin also suggested to use stronger hash > algorithms (see WICKET-6074). However this kind of decision can be made > only by the Apache Foundation. At the moment md5 and sha1 are explicitly > required to release our artifacts: https://www.apache.org/dev/rel > ease-signing.html#basic-facts > > On Sat, Feb 4, 2017 at 4:58 AM, Tobias Soloschenko < >> tobiassolosche...@googlemail.com> wrote: >> >> >> >