Hi, at NixOS linux distribution we're using https://cgit.freedesktop.org/libreoffice/core/tree/download.lst as a source to build libreoffice using a script. We're trying to get rid of md5 and libreoffice is one of the last software using it. Could we change that list to use a secure hashing algorithm? Domen
The use of md5 is not meant as secure hashing algorithm. It is only used as a way to recognize corrupted data transmissions.
I realize that, but it's useful to use upstream hashes for distros. Would it be too much of a hassle to change the algorithm?
That would not only be a change of the gbuild download mechanism, but as tarballs are shared between different branches of LibreOffice also would involve either adding symlinks for all tarballs that include the md5sum in the file name on the download server to have both, md5sum and sha256sum, available, or continue to use the name that includes the md5sum but have an additional sha256sum for the content, which might be even more confusing. I don't get the "useful to use upstream hashes for distros", distros mostly use the already available system libraries to build LibreOffice, unless those are too old or too new.
OK, we've implemented sha256 hashing and don't use upstream md5 anymore.
FYI, master (to-be 5.4) uses sha256 now.