Comment 8 for bug 1536871

Mario, this review is in progress. One point that worries me greatly is that fwupd appears to allow any hash to authenticate firmware files that are served over appstream and our appstream package appears to allow MD5 and SHA-1, neither of which are acceptable to authenticate firmware updates.

If I can't find any code that enforces a sha256 or better hashing algorithm to authenticate firmware downloads I'm going to have to NAK this package regardless of its other merits.

Thanks