On 17.03.2021 18:53, Benjamin Peterson wrote:
On Wed, Mar 17, 2021, at 09:29, Victor Stinner wrote:
On Tue, Mar 16, 2021 at 9:16 PM Gregory P. Smith firstname.lastname@example.org wrote:
The benefit of listing the sha256 for files is that it prevents this question coming up again and again because md5 is old and rightfully on the "never use" list for many people. Even if there are situations where it is fine as an effective improvement over a CRC.
Would it be possible to provide multiple hashes, like MD5 *and* SHA256 (and maybe also SHA512)? Or is there a practical problem to list multiple hashes on a web page?
How about zero hashes?
IMO, it would be better to put SHA256SUM files into the download folder of each release (these could be cron generated to not make the release process more difficult), e.g.
These files would then contain all hashes for all files in a directory and together with the sha256sum command provide a nice interface for checking any downloads.
That said, most of the file formats used for release files already include checks against file corruption. On the plus side, you don't have to run e.g. an .exe to find out.