Opened 3 years ago

#6187 defect new

prefer sha256 over md5 for tarball/installer signature file

Reported by: teratorn Owned by:
Priority: normal Milestone:
Component: release management Keywords:
Cc: radix Branch:
Author: Launchpad Bug:


The release process describes creating a signed manifest of md5 checksums for the various Twisted tarballs and installers produced during the release process.

Here proposing to use sha256 sums instead.

AFAICT, this involves:

Updating and replace the line

e.g. md5sum Tw* | gpg -a --clearsign > twisted-$RELEASE-md5sums.txt


e.g. sha256sum Tw* | gpg -a --clearsign > twisted-$RELEASE-sha256sums.txt

And upon the next release, update the wording near the bottom of this page, to not refer explicitly to md5.

But really this step should be automated, so I'll file a new ticket for that feature. Marking this as a defect, since md5 is known to be defective.

Change History (1)

comment:1 Changed 3 years ago by DefaultCC Plugin

  • Cc radix added
Note: See TracTickets for help on using tickets.