After downloading artifacts, there are 3 things to check: (1) the download is successful; (2) the artifacts were indeed created by the named author; and (3) the artifacts have not been tampered with.
A security expert would know to use the .md5 for (1), the .asc for (2), and the .sha256 or .sha512 for (3). But we are not all security experts. An ordinary user might use the .md5 for (3), a purpose that it is not suited for. If we switch to .sha256 / .sha512 for both (1) and (3) there is one fewer thing that can go wrong. Julian > On Aug 30, 2017, at 4:12 PM, sebb <seb...@gmail.com> wrote: > > Surely the main purpose of the hash is to check that the download has > been successful. > As such, MD5 is adequate. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
