On Wed, May 09, 2018 at 09:30:51PM +0200, Neven Sajko wrote: > I would just like to note that SHA-2 hashes are inferior to Keccak and > to BLAKE2. So better not to spend effort migrating to SHA-2. Strength of various SHA hashes is a different topic. My only point was that relying on md5 these days is like having no hashes at all or using the source filename as a hash... And there should be no migration -- when a new version of a package is released or a rebuild happens, just update the *sums array. Cheers, -- Leonid Isaev
