Don't encourage MD5

[ysangkok]

First off, thanks for this! I am so happy you got it working, what a crazy project! 👍

I think you must certainly know that MD5 is broken. I know, I know, you'll say "it's still fine as a checksum". But it wasn't used as a checksum. If you google it, it will say "cryptographic hash". People may get confused and think that this is just as good as any other algorithm. Why even tempt fate? I just don't see the point, in this day and age where cryptographic hashing is cheap, what is the point of using a less-than ideal hashing mechanism for new projects?

Feel free to close this if you like, I just wanted to leave my two cents. :)

[brianddk]

Agreed. If you check current commits I've added SHA1 though it isn't really fully integrated yet. I'll leave it open and finish the transition soon enough.

Part of the reason for including the MD5sum has to do with the archives I'm drawing from. Some of the old source drops use MD5 as the checksum. I could download, SHA1 check then just move on, but it doesn't provide an audit trail. By using the same checksum algo as the original sources use, I can prove to any audit that there are no hidden additions in the form of a tainted archive.

[ysangkok]

Closing since I understand now how using anything but MD5 would break the audit trail.