admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

docs/Checksum_Deprecation.md: Note that SHA-1 now blocks installation

Browse Source 
This document was out of date as of https://github.com/Homebrew/brew/pull/1451
This commit is contained in:
Bob W. Hogg 2016-11-26 17:27:02 +00:00
parent 3e3df9568e
commit bf05818a8a
1 changed files with 9 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/Checksum_Deprecation.md
View File

@ -5,23 +5,18 @@ integrity verification. Since then every formulae under the Homebrew organisatio
has been moved onto _SHA256_ verification; this includes both source packages has been moved onto _SHA256_ verification; this includes both source packages
and our precompiled packages (bottles). and our precompiled packages (bottles).
We also stopped supporting _MD5_ entirely. It was removed from core formulae in 2012 but until April 2015 if you tried to install a formula still using an We have stopped supporting _SHA1_ and _MD5_ entirely.
_MD5_ checksum Homebrew wouldn't actively stop you. _MD5_ checksums were removed from core formulae in 2012 but until April 2015
if you tried to install a formula still using one Homebrew wouldn't actively stop you.
On _SHA1_ we added a `brew audit` check that flags _SHA1_ checksums as deprecated We removed _SHA1_ support in **November 2016**,
and requests that you use _SHA256_. 21 months after we started warning people to move away from it for verification.
This is enforced in the same way _MD5_ is, by blocking the installation of that
We saw positive ecosystem engagement on moving from _MD5_ & _SHA1_ to the recommended _SHA256_ and thanks to that we're in a strong position to move forwards. individual formula until the checksum is migrated.
## Moving forwards on SHA1.
From March 20th 2016 we've stepped up the visibility of that notification & you'll start From March 20th 2016 we've stepped up the visibility of that notification & you'll start
seeing deprecation warnings when installing _SHA1_-validated formula. seeing deprecation warnings when installing _SHA1_-validated formula.
If you see these please consider reporting it to where the formula originated. If you see these please consider reporting it to where the formula originated.
We're targeting **the end of September 2016** for _SHA1_ support removal, This means custom taps, local custom formulae, etc need to be migrated to use
19 months after we started warning people to move away from it for verification. _SHA256_ before you can install them.
This will be enforced in the same way _MD5_ is today, by blocking the installation of that individual formula until the checksum is migrated.
This means prior to that date custom taps, local custom formulae, etc
need to be migrated to use _SHA256_.