You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@maven.apache.org by Karl Heinz Marbaise <kh...@gmx.de> on 2018/04/06 19:50:24 UTC

Download links for sha256/sha512 checksums

Hi to all,

updated the download page having now sha256/sha512 links...

first step of the efforts to migrate away from .md5 to sha256/sha512..

Most important:

https://maven.apache.org/download.cgi

WDYT ?

other changes/improvements ?

Kind regards
Karl Heinz Marbaise

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Michael Osipov <mi...@apache.org>.

Am 2018-04-06 um 22:38 schrieb Karl Heinz Marbaise:
> Hi,
> 
> On 06/04/18 22:28, Michael Osipov wrote:
>> Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
>>> Hi,
>>>
>>> On 06/04/18 21:54, Michael Osipov wrote:
>>>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>>>> Hi to all,
>>>>>
>>>>> updated the download page having now sha256/sha512 links...
>>>>>
>>>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>>>
>>>>> Most important:
>>>>>
>>>>> https://maven.apache.org/download.cgi
>>>>>
>>>>> WDYT ?
>>>>>
>>>>> other changes/improvements ?
>>>>
>>>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there 
>>>> any benefit for us ATM compared to 256?
>>>
>>> So you would say having only sha1, sha256 ?
>>
>> Correct.
> 
> changed accordingly..

+1

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Karl Heinz Marbaise <kh...@gmx.de>.

Hi,

On 06/04/18 22:28, Michael Osipov wrote:
> Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
>> Hi,
>>
>> On 06/04/18 21:54, Michael Osipov wrote:
>>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>>> Hi to all,
>>>>
>>>> updated the download page having now sha256/sha512 links...
>>>>
>>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>>
>>>> Most important:
>>>>
>>>> https://maven.apache.org/download.cgi
>>>>
>>>> WDYT ?
>>>>
>>>> other changes/improvements ?
>>>
>>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there 
>>> any benefit for us ATM compared to 256?
>>
>> So you would say having only sha1, sha256 ?
> 
> Correct.

changed accordingly..

Kind regards
Karl Heinz Marbaise

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Michael Osipov <mi...@apache.org>.

Am 2018-04-06 um 22:13 schrieb Karl Heinz Marbaise:
> Hi,
> 
> On 06/04/18 21:54, Michael Osipov wrote:
>> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>>> Hi to all,
>>>
>>> updated the download page having now sha256/sha512 links...
>>>
>>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>>
>>> Most important:
>>>
>>> https://maven.apache.org/download.cgi
>>>
>>> WDYT ?
>>>
>>> other changes/improvements ?
>>
>> I would definitively keep SHA-1 around. As for SHA2-512, isn't there 
>> any benefit for us ATM compared to 256?
> 
> So you would say having only sha1, sha256 ?

Correct.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Karl Heinz Marbaise <kh...@gmx.de>.

Hi,

On 06/04/18 21:54, Michael Osipov wrote:
> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
>> Hi to all,
>>
>> updated the download page having now sha256/sha512 links...
>>
>> first step of the efforts to migrate away from .md5 to sha256/sha512..
>>
>> Most important:
>>
>> https://maven.apache.org/download.cgi
>>
>> WDYT ?
>>
>> other changes/improvements ?
> 
> I would definitively keep SHA-1 around. As for SHA2-512, isn't there any 
> benefit for us ATM compared to 256?

So you would say having only sha1, sha256 ?

Kind regards
Karl Heinz Marbaise
> 
> Michael
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Hervé BOUTEMY <he...@free.fr>.

to me, going to sha1 only *for fingerprints* is the right move currently

going to sha256 would make people think that a strong fingerprint means a 
stronger security: this is wrong
If you want security, check signatures (ie. .asc files, with corresponding 
public keys) that are real security (done with strong fingerprints built 
inside)

but fingerprints only are just checksums against download issues: technically, 
we could stay with md5 or even weaker (good old crc?), IMHO. That's just to 
avoid bad md5 reputation that we need to avoid it now: md5 for signature is 
bad, but md5 for fingerprint could still be sufficient.

Regards,

Hervé

Le vendredi 6 avril 2018, 21:54:42 CEST Michael Osipov a écrit :
> Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
> > Hi to all,
> > 
> > updated the download page having now sha256/sha512 links...
> > 
> > first step of the efforts to migrate away from .md5 to sha256/sha512..
> > 
> > Most important:
> > 
> > https://maven.apache.org/download.cgi
> > 
> > WDYT ?
> > 
> > other changes/improvements ?
> 
> I would definitively keep SHA-1 around. As for SHA2-512, isn't there any
> benefit for us ATM compared to 256?
> 
> Michael
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Download links for sha256/sha512 checksums

Posted by Michael Osipov <mi...@apache.org>.

Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise:
> Hi to all,
> 
> updated the download page having now sha256/sha512 links...
> 
> first step of the efforts to migrate away from .md5 to sha256/sha512..
> 
> Most important:
> 
> https://maven.apache.org/download.cgi
> 
> WDYT ?
> 
> other changes/improvements ?

I would definitively keep SHA-1 around. As for SHA2-512, isn't there any 
benefit for us ATM compared to 256?

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org