Re: Download links for sha256/sha512 checksums

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Download links for sha256/sha512 checksums

Hervé BOUTEMY
to me, going to sha1 only *for fingerprints* is the right move currently

going to sha256 would make people think that a strong fingerprint means a
stronger security: this is wrong
If you want security, check signatures (ie. .asc files, with corresponding
public keys) that are real security (done with strong fingerprints built
inside)

but fingerprints only are just checksums against download issues: technically,
we could stay with md5 or even weaker (good old crc?), IMHO. That's just to
avoid bad md5 reputation that we need to avoid it now: md5 for signature is
bad, but md5 for fingerprint could still be sufficient.

Regards,

Hervé

Le vendredi 6 avril 2018, 21:54:42 CEST Michael Osipov a écrit :

> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
> > Hi to all,
> >
> > updated the download page having now sha256/sha512 links...
> >
> > first step of the efforts to migrate away from .md5 to sha256/sha512..
> >
> > Most important:
> >
> > https://maven.apache.org/download.cgi
> >
> > WDYT ?
> >
> > other changes/improvements ?
>
> I would definitively keep SHA-1 around. As for SHA2-512, isn't there any
> benefit for us ATM compared to 256?
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]