Simplify download distribution directory by dropping sha1 hashes?

[William A Rowe Jr <wr...@rowe-clan.net>]

HTTPD team,

Since our downloads are to be authenticated by their .asc PGP
signatures, and the hashes simply serve as checksums, is it reasonable
to offer only MD5 and SHA256 at this point?

Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
supported checksum. All others should apply the strongest hash
validation.

Thoughts?

Bill

Re: Simplify download distribution directory by dropping sha1 hashes?

[Daniel Ruggeri <dr...@primary.net>]

+1
-- 
Daniel Ruggeri


-------- Original Message --------
From: William A Rowe Jr <wr...@rowe-clan.net>
Sent: October 23, 2017 1:36:31 PM CDT
To: httpd <de...@httpd.apache.org>
Subject: Simplify download distribution directory by dropping sha1 hashes?

HTTPD team,

Since our downloads are to be authenticated by their .asc PGP
signatures, and the hashes simply serve as checksums, is it reasonable
to offer only MD5 and SHA256 at this point?

Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
supported checksum. All others should apply the strongest hash
validation.

Thoughts?

Bill

AW: Simplify download distribution directory by dropping sha1 hashes?

[Plüm, Rüdiger, Vodafone Group <ru...@vodafone.com>]

Sounds reasonable to me.

Regards

Rüdiger

> -----Ursprüngliche Nachricht-----
> Von: William A Rowe Jr [mailto:wrowe@rowe-clan.net]
> Gesendet: Montag, 23. Oktober 2017 20:37
> An: httpd <de...@httpd.apache.org>
> Betreff: Simplify download distribution directory by dropping sha1
> hashes?
> 
> HTTPD team,
> 
> Since our downloads are to be authenticated by their .asc PGP
> signatures, and the hashes simply serve as checksums, is it reasonable
> to offer only MD5 and SHA256 at this point?
> 
> Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
> supported checksum. All others should apply the strongest hash
> validation.
> 
> Thoughts?
> 
> Bill

Re: Simplify download distribution directory by dropping sha1 hashes?

[Stefan Eissing <st...@greenbytes.de>]

> Am 23.10.2017 um 20:36 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
> 
> HTTPD team,
> 
> Since our downloads are to be authenticated by their .asc PGP
> signatures, and the hashes simply serve as checksums, is it reasonable
> to offer only MD5 and SHA256 at this point?
> 
> Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
> supported checksum. All others should apply the strongest hash
> validation.
> 
> Thoughts?
> 
> Bill

+1

Re: Simplify download distribution directory by dropping sha1 hashes?

[William A Rowe Jr <wr...@rowe-clan.net>]

On Tue, Oct 24, 2017 at 2:50 AM, Luca Toscano <to...@gmail.com> wrote:
>
> 2017-10-23 20:36 GMT+02:00 William A Rowe Jr <wr...@rowe-clan.net>:
>>
>> HTTPD team,
>>
>> Since our downloads are to be authenticated by their .asc PGP
>> signatures, and the hashes simply serve as checksums, is it reasonable
>> to offer only MD5 and SHA256 at this point?
>>
>> Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
>> supported checksum. All others should apply the strongest hash
>> validation.
>>
>> Thoughts?
>
> +1, I'd also get rid of MD5 since I don't expect anybody relying on it but I
> might be wrong :)

As much as I'd like to, it wasn't long ago I was still building httpd on HP/UX,
AIX and other oddballs. Having some old-school hash while httpd still
compiles on those boxes seems rational.

Re: Simplify download distribution directory by dropping sha1 hashes?

[Luca Toscano <to...@gmail.com>]

2017-10-23 20:36 GMT+02:00 William A Rowe Jr <wr...@rowe-clan.net>:

> HTTPD team,
>
> Since our downloads are to be authenticated by their .asc PGP
> signatures, and the hashes simply serve as checksums, is it reasonable
> to offer only MD5 and SHA256 at this point?
>
> Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
> supported checksum. All others should apply the strongest hash
> validation.
>
> Thoughts?
>

+1, I'd also get rid of MD5 since I don't expect anybody relying on it but
I might be wrong :)

Luca