You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ant.apache.org by "Nicolas Lalevée (JIRA)" <ji...@apache.org> on 2017/05/21 17:32:04 UTC

[jira] [Resolved] (IVY-1554) Please add additional checksum algorithms

     [ https://issues.apache.org/jira/browse/IVY-1554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nicolas Lalevée resolved IVY-1554.
----------------------------------
       Resolution: Fixed
         Assignee: Nicolas Lalevée
    Fix Version/s: master

merged, thanks Jaikiran

> Please add additional checksum algorithms
> -----------------------------------------
>
>                 Key: IVY-1554
>                 URL: https://issues.apache.org/jira/browse/IVY-1554
>             Project: Ivy
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.4.0
>            Reporter: Andreas Felder
>            Assignee: Nicolas Lalevée
>            Priority: Critical
>              Labels: security
>             Fix For: master
>
>
> Apache Ivy provides two algorithms (SHA-1 and MD5) to verify correctness of files in repository. MD5 is known to be unsafe for a while, which is no problem because also SHA-1 is suppported. As of yesterday SHA-1 is also broken (e.g. http://hackaday.com/2017/02/23/shattered-sha-1-is-broken/).
> To ensure correctness of our artifacts, please extend those algorithms with SHA-256 and or SHA-512.
> MessageDigests are computed in class
> https://git-wip-us.apache.org/repos/asf?p=ant-ivy.git;a=blob;f=src/java/org/apache/ivy/util/ChecksumHelper.java;h=56aa936296fa9fbd9699432f041e06a9e588a618;hb=HEAD
> using {{MessageDigest.getInstance(mdAlgorithm)}}. It should be no problem to extend the list of allowed algorithms, because at least with JDK/JRE 6 SHA-512 is supported (see https://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)