simplify checksums to just use sha1?

[phinze]

Kicking this to @passcod for thoughts.

So we basically are always using sha1 for checksums. I wonder if it makes sense to remove the code for the other two since it makes things confusing for contributors and is effectively dead code?

[passcod]

Yes. <insert thoughts here> (I've got a couple of cons and a bunch of pros but given I really gotta go now, my semi-thoughtful answer is let's do it.)

[passcod]

So, basically, I think it's all good, but:

• We lose a little (more) compatibility with homebrew. This is not critical, and these methods can always be added back later if needed.
• My biggest interest in supporting sha512 in particular is about those software releases that have a CHECKSUMS file or similar at the download location. Checksums provided there are frequently either sha512, sha1, or GPG, but those with GPG almost always have a SHA as well, while those with sha512 almost never have sha1. The idea was that these would be the official sums and therefore more trustable. However, GPG is better for trust checksumming.

Hence, I think there is no problem with removing sha256, sha512, (and md5?). 🎲

[nanoxd]

The current state of usage breaks down to:

Total: 505 casks
SHA1: 326 (65%)
no_checksum: 179 (35%)

I think it's safe to say that while other options may provide security, the current usage suggests that sha1 works well for us. I'm not saying we have to remove anything but we can close #164 and focus on 💉 improving other areas of cask.

[passcod]

While I agree about removing hashes that aren't SHA1, GPG signing is also about verifying provenance / authorship, not only integrity.

[passcod]

Removing myself from this. Not sure if it still applies, what with the checksum being SHA-256 now.

[vitorgalvao]

Removing myself from this. Not sure if it still applies, what with the checksum being SHA-256 now.

I’d argue we can probably close this issue, actually.

[fanquake]

Yea. We probably can close this.