That won't guarantee the right choice, unfortunately. Some of the
popular projects are still using md5 ;(
Why not going with sha-512? This is release checksum'ing - we don't
care about computational difficulties nor efficiencies. It is done one
every few months. And we care in this case is the correctness and
robustness.
--
With regards,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.
On Thu, Jul 27, 2017 at 6:28 AM, Anton Vinogradov
<avinogra...@gridgain.com> wrote:
> Oleg,
>
> Let's check what's used at another popular Apache Projects.
>
> On Wed, Jul 26, 2017 at 11:10 PM, Dmitry Pavlov <dpavlov@gmail.com>
> wrote:
>
>> Hi Oleg,
>>
>> Both MD5 and SHA1 are deprecated and can't be considered as trustfull.
>>
>> I think at-least-256 bit member of the SHA-2 family (e. g. sha512) should
>> be used.
>>
>> Sincerely,
>> Dmitriy Pavlov
>>
>> ср, 26 июл. 2017 г. в 22:27, Oleg Ostanin <oosta...@gridgain.com>:
>>
>> > Hi,
>> >
>> > We need to decide what сhecksum algorythm we should use for signing
>> release
>> > artifacts. Currently we use md5 and sha-1. sha-1 will be replaced by
>> > sha-256 soon. Should we keep md5 or use only sha-256?
>> >
>>
