Please move to a more secure checksum than SHA1 for the prebuilt libraries | Voters

Please move to a more secure checksum than SHA1 for the prebuilt libraries

Ikaros Alpha

For self compilation, which I know you don't really support, but: SHA1 became deprecated long ago for its weaknesses. Like from 2011.

Recently my Linux Mint 21.3 and Mint 22 systems won't even open the 3p-archives any longer for compilation. Can't you just move to SHA256, as it is tiresome to recalculate 40 checksums?

December 11, 2024

Kathrine Jansma

As a simple checksum SHA1 is fine. But here it is used to kind of guarantee the integrity of the downloaded artifacts, so some more secure cryptographic hash would be appropriate. Like SHA256 or SHA512/256.
It might be worthwile to look into something like SLSA instead of simple hashes too:
https://slsa.dev/spec/v1.0/about
https://slsa.dev/spec/v1.0/threats-overview
Thats actually not that hard when the build runs on something like Github:
https://github.com/slsa-framework/slsa-github-generator