On 2017-02-24 12:52, Jim Jagielski wrote: > I think we should start, in addition to "signing" w/ md5 and sha-1, > using sha-256 as well.
I have a question: why are you still using md5/sha1 for generating file hashes in the first place? Noone with knowledge of hashing algos would use these hashes to validate a file's authenticity. Bottom line is that you lull people into a false sense of security by providing md5/sha1 hashes. People, who don't know that these algorithms have been broken already, might think that they are safe (by checking the file against the md5 hash) while in reality they are not. Cheers, K. C. -- regards Helmut K. C. Tessarek lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
