Details
-
Suggestion
-
Resolution: Out of scope
-
Not Evaluated
-
None
-
None
-
None
Description
Component: "download.qt.io"
Hi,
on the downloadsite besides the installer packages there is
https://download.qt.io/archive/qt/5.13/5.13.0/md5sums.txt
which contains only the md5sums.
Since md5 is already known as not secure anymore, it would be nice to offer another method of verifying that nobody has manipulated the installer file.
It could be done easily automatically and would improve the secure distribution a lot. I would assume on most Desktop/Server Linux systems sha512sum is already installed so the additional overhead is quite small, depending on the build system, to add command that not only calculates the md5 but also the sha512 sums.
In case the sha sums are already calculated and put somewhere accessible: Sorry, but I could not find them, please let me know where they are (and this report should be re-titled to "not visible enough sha sums" )