On Tue, Sep 18, 2018 at 8:21 AM Ruediger Pluem <rpl...@apache.org> wrote:
> > On 09/18/2018 02:52 PM, William A Rowe Jr wrote: > > Note that in moderation of annou...@apache.org <mailto: > annou...@apache.org>, I received the following response; > > > >> MD5 and SHA1 hashes have been deprecated for some time on download > pages (*) > >> > >> Please update the download page(s) to remove these. > >> > >> (*) http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > Are we concerned with retaining either-or MD5 or SHA1 for legacy > architecture users? As we integrate to openssl 0.9.8+, > > and those all have an `openssl sha256` facility, it seems like the > concern is pretty obscure. > > Sounds reasonable. > > > Do we have an opinion on offering both sha256 + sha512? Only one or the > other, and if so, which? > > Does offering both create additional work? > The pmc/apr/tools/release.sh script does emits all the desired hashes. More hrefs to adjust in download.html, that's about it. My only question was, does adding sha512 add "value" when the gpg signature is supposedly authoritative (and anyone who can manipulate the tarball can manipulate a sha file too.)
