On 7/17/12 5:43 AM, Fernando Cassia wrote: > On Mon, Jul 16, 2012 at 12:04 PM, Rob Weir <[email protected]> wrote: >> or verifying the MD5 hashes. > > SHA1 :) > > ---- > In 2004, more serious flaws were discovered in MD5, making further use > of the algorithm for security purposes questionable—specifically, a > group of researchers described how to create a pair of files that > share the same MD5 checksum.[4][5] Further advances were made in > breaking MD5 in 2005, 2006, and 2007.[6] In December 2008, a group of > researchers used this technique to fake SSL certificate > validity,[7][8] and US-CERT now says that MD5 "should be considered > cryptographically broken and unsuitable for further use."[9] and most > U.S. government applications now require the SHA-2 family of hash > functions > ---- > http://en.wikipedia.org/wiki/MD5 > > FC >
well, we have md5, sha1, sha256, sha512 and gpg signature that can be verified. Ok in the future I will reduce the sha checksums to only one. But I can't remember which one was required by virus scanners to identify our official releases, sha256 or sha512? See for example http://people.apache.org/~jsc/developer-snapshots/r1359641/macos/ Juergen
