Re: Moving hashes (checksums) forward

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Moving hashes (checksums) forward

Michael Osipov-2
Am 2020-05-31 um 18:46 schrieb Maarten Mulders:

> Hi,
> It's great to see support for more secure hashing algorithms coming.
> At the risk of suggesting something that is already there, or is just
> not feasible... Wouldn't it be possible to have a smoother transition by
> allowing multiple hashes at the same time?
> When resolving, if there is a SHA-2 hash we use that for validation.
> Otherwise, we use SHA-1 or MD5. We might log a warning about the fact
> that a deprecated hashing algorithm is used. That way, repo managers
> wouldn't necessarily need to re-hash all their content. On the other
> hand, it might slow down the adoption of SHA-2 for content hashing.

We already have multiple hashes in parallel and Resolver will traverse
until no hash is found or the first one has failed.

> On May 31, 2020, at 17:19, Robert Scholte wrote:
>> hi,
>> I would be great if Sonatype could lead this request.
>> It seems like a similar process compared to the TLSv1.2 requirement
>> and the drop of http
>> They have the best overview in how to handle the switch to different
>> hashes.
>> You can already start with #1, but until then I would be careful with #2
>> thanks,
>> Robert
>> On 31-5-2020 16:58:58, Michael Osipov <[hidden email]> wrote:
>> Folks,
>> I have been recently (indirectly) approached by Mark Thomas for the
>> Tomcat committers that he wants to provide SHA-2 hashes for all uploaded
>> Tomcat artifacts in Central. Since Nexus 2.14.18 supports this properly
>> for validation, I have picked up MRESOLVER-56 and asked for testing.
>> I'd like also to discuss two proposals for the Maven community:
>> 1. Introduce SHA-2 support in Maven Resolver 1.4.3 which will go into
>> Maven 3.7.0
>> 2. Deprecate MD5 and SHA-1 with that release and make them obsolete with
>> Maven 4.0 and Maven Resolver 2.0 which will include package change also.
>> Those proposals have the following greater implications:
>> 1.
>> * Certain repo managers might reject hashes, they don't know. As did
>> Nexus on repository.a.o.
>> * This will incur two more requests with each upload and download. In
>> the latter, it will fail with 404 because most repo managers won't have
>> SHA-2 hashes. So fails Central for now. (will be solved with 2.)
>> 2.
>> * All repo managers will need to
>> ** rehash all current content to provide SHA-2 hashes
>> ** Require SHA-2 hashes to be uploaded
>> ** Reject MD5 and SHA-1 hashes
>> * Old tools will fail because MD5 and SHA-1 hashes are gone:
>> ** Uploads will be rejected
>> ** Strict download validation will fail
>> Please comment. I will also provide a draft PR soon.
>> I can cast two formal votes if required.
>> Michael
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]