Opened 2 years ago
#6187 defect new
prefer sha256 over md5 for tarball/installer signature file
|Reported by:||teratorn||Owned by:|
The release process describes creating a signed manifest of md5 checksums for the various Twisted tarballs and installers produced during the release process.
Here proposing to use sha256 sums instead.
AFAICT, this involves:
Updating http://twistedmatrix.com/trac/wiki/ReleaseProcess and replace the line
e.g. md5sum Tw* | gpg -a --clearsign > twisted-$RELEASE-md5sums.txt
e.g. sha256sum Tw* | gpg -a --clearsign > twisted-$RELEASE-sha256sums.txt
And upon the next release, update the wording near the bottom of this page, http://twistedmatrix.com/trac/wiki/Downloads to not refer explicitly to md5.
But really this step should be automated, so I'll file a new ticket for that feature. Marking this as a defect, since md5 is known to be defective.