On Fri, Feb 24, 2017 at 12:02 PM, Yann Ylavic <[email protected]> wrote: > On Fri, Feb 24, 2017 at 6:52 PM, Jim Jagielski <[email protected]> wrote: >> I think we should start, in addition to "signing" w/ md5 and sha-1, >> using sha-256 as well. >> >> Sound OK? > > Our "true" signing has and will always be PGP. > Though SHA-256 is often asked by users@, so, > +1
+1 to adding SHA-256, +/-0 for SHA-512 at this point in time. With that change, +1 to removing SHA-1, and +/-0 to retaining MD5. One modern sha hash is sufficient to verify the transmission, and these hashes may only be used for that purpose. I'm ok with retaining MD5 simply because a tiny number of downloaders will have no SHA hash validation tool at hand. It's still sufficient to check that the download was not corrupted. If we dig through our site and delete all references to 'signature' with respect to any hashes, how do we refer to these. This is what autoindex reports from www.a.o/dist/... httpd-2.2.32.tar.bz2.asc 2017-01-12 18:38 801 PGP signature httpd-2.2.32.tar.bz2.md5 2017-01-12 18:38 55 MD5 hash Good there, no claim that this is a signature. In the corresponding README in /dist/httpd, we state "We offer MD5 hashes as an alternative to validate the integrity of the downloaded files. A unix program called md5 or md5sum is included in many unix distributions. It is also available as part of GNU Textutils. Windows users can get binary md5 programs from here, here, or here." That message should be split out from 'PGP Signatures' and then we can add the openssl command line syntax for sha validation. There are other issues with downloads.html which I'm working up a patch for already, but let's go ahead and do this. We made little mention of .sha1 in our docs, so replacing these with .sha256 is a no-brainer.
