On Apr 18, 2006, at 1:35 PM, Colm MacCarthaigh wrote:
Also, what are people's thoughts on including sha1 signatures in our official dist? We havn't heretofore, is there any benefit? The PGP signatures are there to confirm veracity, the simple checksums are really only to detect corrupted downloads, but some users do make the md5 = insecure equation very readily.
No, there is no reason. sha1 is just as "insecure" for hashes as md5. ....Roy
