On Tue, Jun 24, 2008 at 02:14:28PM -0700, [EMAIL PROTECTED] wrote: > I'm not sure I completely agree. Once we move to SHA-256, we ought to > stop publishing new package content with old hash algorithms.
There's no harm (I think) in continuing to accept requests via the old hashes. Clients that care sufficiently will stop doing that, and obviously such clients will start existing at the same the server-side support for new hash algorithms is available, so for people keeping up-to-date, it'll be immediate. > I would expect that we would continue to support previously created > content under a legacy hash-algorithm; however, the idea would be to > phase out the old, presumably broken, algorithm as soon as possible. It's not broken; people just have "concerns". It's not clear to me how rational those concerns are, but it doesn't cost us much, so we might as well move. For low-security things, such as icons, it probably doesn't matter all that much. I'm not sure that I want to completely disable old manifests even if they're not all that old (regardless of where they're using the old hash algorithm). Danek _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
