admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #1582 from rwhogg/sha1-gone

Browse Source 
docs/Checksum_Deprecation.md: Note that SHA-1 now blocks installation
This commit is contained in:
Mike McQuaid 2016-11-28 08:45:41 +00:00 committed by GitHub
commit a35d0fe8f0
1 changed files with 9 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/Checksum_Deprecation.md
View File

@ -5,23 +5,18 @@ integrity verification. Since then every formulae under the Homebrew organisatio
has been moved onto _SHA256_ verification; this includes both source packages
and our precompiled packages (bottles).
We also stopped supporting _MD5_ entirely. It was removed from core formulae in 2012 but until April 2015 if you tried to install a formula still using an
_MD5_ checksum Homebrew wouldn't actively stop you.
We have stopped supporting _SHA1_ and _MD5_ entirely.
_MD5_ checksums were removed from core formulae in 2012 but until April 2015
if you tried to install a formula still using one Homebrew wouldn't actively stop you.
On _SHA1_ we added a `brew audit` check that flags _SHA1_ checksums as deprecated
and requests that you use _SHA256_.
We saw positive ecosystem engagement on moving from _MD5_ & _SHA1_ to the recommended _SHA256_ and thanks to that we're in a strong position to move forwards.
## Moving forwards on SHA1.
We removed _SHA1_ support in **November 2016**,
21 months after we started warning people to move away from it for verification.
This is enforced in the same way _MD5_ is, by blocking the installation of that
individual formula until the checksum is migrated.
From March 20th 2016 we've stepped up the visibility of that notification & you'll start
seeing deprecation warnings when installing _SHA1_-validated formula.
If you see these please consider reporting it to where the formula originated.
We're targeting **the end of September 2016** for _SHA1_ support removal,
19 months after we started warning people to move away from it for verification.
This will be enforced in the same way _MD5_ is today, by blocking the installation of that individual formula until the checksum is migrated.
This means prior to that date custom taps, local custom formulae, etc
need to be migrated to use _SHA256_.
This means custom taps, local custom formulae, etc need to be migrated to use
_SHA256_ before you can install them.