HTTPD team, Since our downloads are to be authenticated by their .asc PGP signatures, and the hashes simply serve as checksums, is it reasonable to offer only MD5 and SHA256 at this point?
Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest supported checksum. All others should apply the strongest hash validation. Thoughts? Bill