On Tue, Oct 24, 2017 at 2:50 AM, Luca Toscano <[email protected]> wrote: > > 2017-10-23 20:36 GMT+02:00 William A Rowe Jr <[email protected]>: >> >> HTTPD team, >> >> Since our downloads are to be authenticated by their .asc PGP >> signatures, and the hashes simply serve as checksums, is it reasonable >> to offer only MD5 and SHA256 at this point? >> >> Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest >> supported checksum. All others should apply the strongest hash >> validation. >> >> Thoughts? > > +1, I'd also get rid of MD5 since I don't expect anybody relying on it but I > might be wrong :)
As much as I'd like to, it wasn't long ago I was still building httpd on HP/UX, AIX and other oddballs. Having some old-school hash while httpd still compiles on those boxes seems rational.
