diff options
| author | Bob W. Hogg | 2016-11-26 17:27:02 +0000 |
|---|---|---|
| committer | Bob W. Hogg | 2016-11-26 17:27:02 +0000 |
| commit | bf05818a8acd5db8a40490035a7b13ff41d3af30 (patch) | |
| tree | 0c21f164b5f63cef2580a942387f9c0b83e4c3ab | |
| parent | 3e3df9568e64c6fee2bd8a34fac5d765b11284a8 (diff) | |
| download | brew-bf05818a8acd5db8a40490035a7b13ff41d3af30.tar.bz2 | |
docs/Checksum_Deprecation.md: Note that SHA-1 now blocks installation
This document was out of date as of https://github.com/Homebrew/brew/pull/1451
| -rw-r--r-- | docs/Checksum_Deprecation.md | 23 |
1 files changed, 9 insertions, 14 deletions
diff --git a/docs/Checksum_Deprecation.md b/docs/Checksum_Deprecation.md index d8ad81b85..62985848b 100644 --- a/docs/Checksum_Deprecation.md +++ b/docs/Checksum_Deprecation.md @@ -5,23 +5,18 @@ integrity verification. Since then every formulae under the Homebrew organisatio has been moved onto _SHA256_ verification; this includes both source packages and our precompiled packages (bottles). -We also stopped supporting _MD5_ entirely. It was removed from core formulae in 2012 but until April 2015 if you tried to install a formula still using an -_MD5_ checksum Homebrew wouldn't actively stop you. +We have stopped supporting _SHA1_ and _MD5_ entirely. +_MD5_ checksums were removed from core formulae in 2012 but until April 2015 +if you tried to install a formula still using one Homebrew wouldn't actively stop you. -On _SHA1_ we added a `brew audit` check that flags _SHA1_ checksums as deprecated -and requests that you use _SHA256_. - -We saw positive ecosystem engagement on moving from _MD5_ & _SHA1_ to the recommended _SHA256_ and thanks to that we're in a strong position to move forwards. - -## Moving forwards on SHA1. +We removed _SHA1_ support in **November 2016**, +21 months after we started warning people to move away from it for verification. +This is enforced in the same way _MD5_ is, by blocking the installation of that +individual formula until the checksum is migrated. From March 20th 2016 we've stepped up the visibility of that notification & you'll start seeing deprecation warnings when installing _SHA1_-validated formula. If you see these please consider reporting it to where the formula originated. -We're targeting **the end of September 2016** for _SHA1_ support removal, -19 months after we started warning people to move away from it for verification. -This will be enforced in the same way _MD5_ is today, by blocking the installation of that individual formula until the checksum is migrated. - -This means prior to that date custom taps, local custom formulae, etc -need to be migrated to use _SHA256_. +This means custom taps, local custom formulae, etc need to be migrated to use +_SHA256_ before you can install them. |