If I recall, Cyanogenmod builds had sha1sums. Lineage should upgrade to sha256. They could also pgp sign them like Mozilla.
And also, they shouldn't offer https download links that redirect to http mirrors. It would be nice if websites didn't do this while browser developers still haven't come terms with this issue.
There are no known attacks which make SHA1 insecure in this context. Also according to this announcement, they will be signing the builds, which is vastly superior to any unverified checksum.
The signature is only as good as the hash it's using. SHA-1 is considered insecure. From Wikipedia:
SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[3] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[4][5][6] Microsoft,[7] Google[8] and Mozilla[9][10][11] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.
"We will NOT be shipping root baked into the ROM."
Does anyone know why this is the case? Is there some kind of issue with shipping it rooted + a root manger (SuperSU, Superuser, etc) as CyanogenMod did?
Lets hope Steve remembers to do the right thing (tm) this time.
Edit: in particular, next time someone in his organization does/says something incredibly stupid I want Steve to stop it right away instead of waiting 2 years...
More here: http://www.gsmarena.com/lineage_os_is_now_officially_picking...