You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Karl Heinz Marbaise <kh...@gmx.de> on 2018/04/06 19:50:24 UTC
Download links for sha256/sha512 checksums
Hi to all,
updated the download page having now sha256/sha512 links...
first step of the efforts to migrate away from .md5 to sha256/sha512..
Most important:
https://maven.apache.org/download.cgi
WDYT ?
other changes/improvements ?
Kind regards
Karl Heinz Marbaise
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Michael Osipov <mi...@apache.org>.
Am 2018-04-06 um 22:38 schrieb Karl Heinz Marbaise:
> Hi,
>
> On 06/04/18 22:28, Michael Osipov wrote:
>> Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
>>> Hi,
>>>
>>> On 06/04/18 21:54, Michael Osipov wrote:
>>>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>>>> Hi to all,
>>>>>
>>>>> updated the download page having now sha256/sha512 links...
>>>>>
>>>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>>>
>>>>> Most important:
>>>>>
>>>>> https://maven.apache.org/download.cgi
>>>>>
>>>>> WDYT ?
>>>>>
>>>>> other changes/improvements ?
>>>>
>>>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there
>>>> any benefit for us ATM compared to 256?
>>>
>>> So you would say having only sha1, sha256 ?
>>
>> Correct.
>
> changed accordingly..
+1
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi,
On 06/04/18 22:28, Michael Osipov wrote:
> Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
>> Hi,
>>
>> On 06/04/18 21:54, Michael Osipov wrote:
>>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>>> Hi to all,
>>>>
>>>> updated the download page having now sha256/sha512 links...
>>>>
>>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>>
>>>> Most important:
>>>>
>>>> https://maven.apache.org/download.cgi
>>>>
>>>> WDYT ?
>>>>
>>>> other changes/improvements ?
>>>
>>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there
>>> any benefit for us ATM compared to 256?
>>
>> So you would say having only sha1, sha256 ?
>
> Correct.
changed accordingly..
Kind regards
Karl Heinz Marbaise
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Michael Osipov <mi...@apache.org>.
Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
> Hi,
>
> On 06/04/18 21:54, Michael Osipov wrote:
>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>> Hi to all,
>>>
>>> updated the download page having now sha256/sha512 links...
>>>
>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>
>>> Most important:
>>>
>>> https://maven.apache.org/download.cgi
>>>
>>> WDYT ?
>>>
>>> other changes/improvements ?
>>
>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there
>> any benefit for us ATM compared to 256?
>
> So you would say having only sha1, sha256 ?
Correct.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi,
On 06/04/18 21:54, Michael Osipov wrote:
> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>> Hi to all,
>>
>> updated the download page having now sha256/sha512 links...
>>
>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>
>> Most important:
>>
>> https://maven.apache.org/download.cgi
>>
>> WDYT ?
>>
>> other changes/improvements ?
>
> I would definitively keep SHA-1 around. As for SHA2-512, isn't there any
> benefit for us ATM compared to 256?
So you would say having only sha1, sha256 ?
Kind regards
Karl Heinz Marbaise
>
> Michael
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Hervé BOUTEMY <he...@free.fr>.
to me, going to sha1 only *for fingerprints* is the right move currently
going to sha256 would make people think that a strong fingerprint means a
stronger security: this is wrong
If you want security, check signatures (ie. .asc files, with corresponding
public keys) that are real security (done with strong fingerprints built
inside)
but fingerprints only are just checksums against download issues: technically,
we could stay with md5 or even weaker (good old crc?), IMHO. That's just to
avoid bad md5 reputation that we need to avoid it now: md5 for signature is
bad, but md5 for fingerprint could still be sufficient.
Regards,
Hervé
Le vendredi 6 avril 2018, 21:54:42 CEST Michael Osipov a écrit :
> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
> > Hi to all,
> >
> > updated the download page having now sha256/sha512 links...
> >
> > first step of the efforts to migrate away from .md5 to sha256/sha512..
> >
> > Most important:
> >
> > https://maven.apache.org/download.cgi
> >
> > WDYT ?
> >
> > other changes/improvements ?
>
> I would definitively keep SHA-1 around. As for SHA2-512, isn't there any
> benefit for us ATM compared to 256?
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Download links for sha256/sha512 checksums
Posted by Michael Osipov <mi...@apache.org>.
Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
> Hi to all,
>
> updated the download page having now sha256/sha512 links...
>
> first step of the efforts to migrate away from .md5 to sha256/sha512..
>
> Most important:
>
> https://maven.apache.org/download.cgi
>
> WDYT ?
>
> other changes/improvements ?
I would definitively keep SHA-1 around. As for SHA2-512, isn't there any
benefit for us ATM compared to 256?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org