It's 2021 and md5 has been insufficient as a cryptographic hash for years; as of 2008 CERT declared MD5 "cryptographically broken and unsuitable for further use"[1]. Minimal streams were created after this and therefore md5 sums are intentionally omitted. For standard image streams md5 sums should be removed before another 10 year LTS is released considering supply chain security concerns and simplestreams updated to only accept sha256 or greater. Given the timeframe for LTS support NIST 2020 recommendations[2] would point to SHA-384 or SHA-512. [1] https://www.kb.cert.org/vuls/id/836068 [2] https://www.keylength.com/en/4/ On Thu, Oct 7, 2021 at 9:56 AM Corey Bryant