Peter, Anton V, Igniters,
The board communicated the following release policy changes:
-- for new releases :
-- you MUST supply a SHA-256 and/or SHA-512 file
-- you SHOULD NOT supply MD5 or SHA-1 files
Are we good? More details are below.
*2 Release Dist Policy Changes (Q? [email protected])
-----------------------------------------------------------------------
The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
not just emphasized words ; for an explanation see RFC-2119 [3].
Old policy :
-- SHOULD supply a SHA checksum file
-- SHOULD NOT supply a MD5 checksum file
New policy :
-- SHOULD supply a SHA-256 and/or SHA-512 checksum file
-- SHOULD NOT supply MD5 or SHA-1 checksum files
Why this change ?
-- Like MD5, SHA-1 is too broken ; we should move away from it.
Impact for PMCs :
-- for new releases :
-- you MUST supply a SHA-256 and/or SHA-512 file
-- you SHOULD NOT supply MD5 or SHA-1 files
-- for past releases :
-- you are not required to change anything ;
-- it would be nice if you fixed your dist area ;
start with : cleanup ; rename .sha's ; remove .md5's
