On Fri, Oct 09, 2015 at 06:32PM, Dmitriy Setrakyan wrote:
> On Fri, Oct 9, 2015 at 2:02 PM, Konstantin Boudnik <[email protected]> wrote:
>
> > Guys,
> >
> > We had to get rid of md5 sum long time ago, but it seems that sha1 is
> > hitting
> > the wall as well. Here's the good description of the problem:
> > https://sites.google.com/site/itstheshappening/
> >
> > I'd suggest to scrape both of them in the next release. Any objections?
> >
>
> I am not sure if we need to scrape SHA1. People do not have to use it if
> they don't trust it.
Why would we even bother providing a checksum that isn't trustworthy? It isn't
a new development - we kned it for a while.
> Are there any official ASF recommendations here?
Yes, of course. This is the one, I am sure everyone here is aware of it
http://www.apache.org/dev/release-signing.html#sha1
In the frame of the particular discussion
http://www.apache.org/dev/release-signing.html#md5-security
http://www.apache.org/dev/release-signing.html#sha1
Cos
