Re: [Valgrind-users] Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

[John R. <jr...@bi...>]

On 06/16/2017 06:31 AM, Zhiming Wang wrote:
> By the way, just a suggestion, maybe you could publish the
> SHA-256 checksums of release tarballs instead of MD5?

Please also publish the exact length in bytes.
This is worth _more_ than expanding the width of the checksum,
because it is easier (much easier) to produce checksum collisions
by extending the length.