Hi, related to the question on MD5, I'd propose to remove the SHA-1 altogether. In my understanding it provides absolutely no security but gives the user a false sense of security. If an attacker is able to falsify the download, why shouldn't he be able to also falsify the checksum? Or am I missing something?
The only proper countermeasure is a GPG signature with a trust path from my key to the signers key. Related to this, it would be a very good thing, if the user interface for Git tags would somehow distinguish between signed and unsigned tags and encourages developers to use signed tags for release points. Best regards, Thomas Koch, http://www.koch.ro -- You received this message because you are subscribed to the Google Groups "Project Hosting on Google Code" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-code-hosting?hl=en.
