From bf05818a8acd5db8a40490035a7b13ff41d3af30 Mon Sep 17 00:00:00 2001 From: "Bob W. Hogg" Date: Sat, 26 Nov 2016 17:27:02 +0000 Subject: [PATCH] docs/Checksum_Deprecation.md: Note that SHA-1 now blocks installation This document was out of date as of https://github.com/Homebrew/brew/pull/1451 --- docs/Checksum_Deprecation.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/Checksum_Deprecation.md b/docs/Checksum_Deprecation.md index d8ad81b856..62985848bd 100644 --- a/docs/Checksum_Deprecation.md +++ b/docs/Checksum_Deprecation.md @@ -5,23 +5,18 @@ integrity verification. Since then every formulae under the Homebrew organisatio has been moved onto _SHA256_ verification; this includes both source packages and our precompiled packages (bottles). -We also stopped supporting _MD5_ entirely. It was removed from core formulae in 2012 but until April 2015 if you tried to install a formula still using an -_MD5_ checksum Homebrew wouldn't actively stop you. +We have stopped supporting _SHA1_ and _MD5_ entirely. +_MD5_ checksums were removed from core formulae in 2012 but until April 2015 +if you tried to install a formula still using one Homebrew wouldn't actively stop you. -On _SHA1_ we added a `brew audit` check that flags _SHA1_ checksums as deprecated -and requests that you use _SHA256_. - -We saw positive ecosystem engagement on moving from _MD5_ & _SHA1_ to the recommended _SHA256_ and thanks to that we're in a strong position to move forwards. - -## Moving forwards on SHA1. +We removed _SHA1_ support in **November 2016**, +21 months after we started warning people to move away from it for verification. +This is enforced in the same way _MD5_ is, by blocking the installation of that +individual formula until the checksum is migrated. From March 20th 2016 we've stepped up the visibility of that notification & you'll start seeing deprecation warnings when installing _SHA1_-validated formula. If you see these please consider reporting it to where the formula originated. -We're targeting **the end of September 2016** for _SHA1_ support removal, -19 months after we started warning people to move away from it for verification. -This will be enforced in the same way _MD5_ is today, by blocking the installation of that individual formula until the checksum is migrated. - -This means prior to that date custom taps, local custom formulae, etc -need to be migrated to use _SHA256_. +This means custom taps, local custom formulae, etc need to be migrated to use +_SHA256_ before you can install them.