Hi all, While I'm investigating into Maven code to allow re-using checksums of Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and .sha1 seems to be used by Wagon and then also noticed that Maven Central doesn't contain a "safe" digest signature either. In this world of supply chain attacks, it could be important to use stronger algorithms. Sure, there is PGP signature, but PGP is not intended to verify the transfer, it's more meant to allow delegating a trust decision from the artifact to the signer; using it to verify transfer seems overkill, so we'd rather avoid having to rely on it for transfer verification. I tried to look on Jira and couldn't see an issue that seems dedicated to this topic. As the concerns about md5 and sha1 are relatively old, I may have missed something. Is there an issue already open to move towards sha256 or should I create a new one?
Thanks in advance -- Mickael Istria Eclipse IDE <https://www.eclipse.org/eclipseide> developer, for Red Hat Developers <https://developers.redhat.com/>
