Skip to content
Snippets Groups Projects
Commit a35d0fe8 authored by Mike McQuaid's avatar Mike McQuaid Committed by GitHub
Browse files

Merge pull request #1582 from rwhogg/sha1-gone 

docs/Checksum_Deprecation.md: Note that SHA-1 now blocks installation
parents 0b762dc3 bf05818a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/Checksum_Deprecation.md
+ 9
14
View file @ a35d0fe8
......@@ -5,23 +5,18 @@ integrity verification. Since then every formulae under the Homebrew organisatio
has been moved onto _SHA256_ verification; this includes both source packages
and our precompiled packages (bottles).
We also stopped supporting _MD5_ entirely. It was removed from core formulae in 2012 but until April 2015 if you tried to install a formula still using an
_MD5_ checksum Homebrew wouldn't actively stop you.
We have stopped supporting _SHA1_ and _MD5_ entirely.
_MD5_ checksums were removed from core formulae in 2012 but until April 2015
if you tried to install a formula still using one Homebrew wouldn't actively stop you.
On _SHA1_ we added a `brew audit` check that flags _SHA1_ checksums as deprecated
and requests that you use _SHA256_.
We saw positive ecosystem engagement on moving from _MD5_ & _SHA1_ to the recommended _SHA256_ and thanks to that we're in a strong position to move forwards.
## Moving forwards on SHA1.
We removed _SHA1_ support in **November 2016**,
21 months after we started warning people to move away from it for verification.
This is enforced in the same way _MD5_ is, by blocking the installation of that
individual formula until the checksum is migrated.
From March 20th 2016 we've stepped up the visibility of that notification & you'll start
seeing deprecation warnings when installing _SHA1_-validated formula.
If you see these please consider reporting it to where the formula originated.
We're targeting **the end of September 2016** for _SHA1_ support removal,
19 months after we started warning people to move away from it for verification.
This will be enforced in the same way _MD5_ is today, by blocking the installation of that individual formula until the checksum is migrated.
This means prior to that date custom taps, local custom formulae, etc
need to be migrated to use _SHA256_.
This means custom taps, local custom formulae, etc need to be migrated to use
_SHA256_ before you can install them.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment