git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ALL] SHA-1 vs. SHA-256



> On May 18, 2018, at 11:42 AM, Gary Gregory <garydgregory@xxxxxxxxx> wrote:
> 
>> On Fri, May 18, 2018 at 9:36 AM, sebb <sebbaz@xxxxxxxxx> wrote:
>> 
>>> On 18 May 2018 at 16:30, Gary Gregory <garydgregory@xxxxxxxxx> wrote:
>>> Hi All:
>>> 
>>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>>> 
>>> We just updated to SHA-1 which apparently has been subject to a collision
>>> attack [2].
>>> 
>>> Our newish commons-release-plugin has just been updated to SHA-1.
>>> 
>>> I'd like to add SHA-256 alongside SHA-1.
>>> 
>>> Thoughts?
>> 
>> Does Nexus support SHA-256?
>> 
>> ISTR that there were some issues with it.
>> 
> 
> Hard to say without trying:
> - No: https://issues.sonatype.org/browse/NEXUS-5881
> - Yes:
> https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes
> 
> _But_, it would be a start to include SHA-256 in VOTE emails, which I am
> working on with Rob to generate based on a template.
> 
> That would give RC reviewers the opportunity to validate RC downloads from
> dist with SHA-1 or SHA-256.

If it’s only the release artifacts (tars/zips), that’s easy. If it’s the “convenience artifacts,” then I’m not sure. I think maven or nexus generates those under the hood which gives us less control. 

-Rob

> 
> Gary
> 
> 
>>> [1]
>>> https://www.eclipse.org/eclipse/news/4.8/platform_isv.
>> php#equinox-sha-256-checksum
>>> [2]
>>> https://arstechnica.com/information-technology/2017/
>> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
>> For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx
>> 
>> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx




( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache-commons-developers/msg06321.html on line 130
Call Stack
#TimeMemoryFunctionLocation
10.0008358472{main}( ).../msg06321.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache-commons-developers/msg06321.html on line 130
Call Stack
#TimeMemoryFunctionLocation
10.0008358472{main}( ).../msg06321.html:0