3 Jul
2012
3 Jul
'12
1:54 p.m.
And yes, attacks on md5 will only get better, so we should migrate to better hashes in the future. But if there is something to be embarrassed about, it's not the use of md5, but the lack of proper code signing and trust paths between developers.
I'm going to implement this except I will replace the sha256: with a sha256= There is simply no realistic drawback. Strong hashing is a prerequisite for a trust path, and you avoid the need to even think about why it is OK in this specific circumstance that a weak hash is being used.