You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bigtop.apache.org by "Peter Linnell (JIRA)" <ji...@apache.org> on 2016/03/25 06:39:25 UTC
[jira] [Commented] (BIGTOP-2109) Getting rid of md5 and sha1 for
release artifacts
[ https://issues.apache.org/jira/browse/BIGTOP-2109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15211449#comment-15211449 ]
Peter Linnell commented on BIGTOP-2109:
---------------------------------------
Do we have a gpg key specific to signing things or do we appoint someone to use their personal key and have that key signed by several PMC's top establish a web of trust ?
With Scribus, where I have been manually signing releases, this has been a manual task. One reason we use gpg is we have 100% control of all source files.
We have, in recent releases, been providing sha256sums. https://wiki.scribus.net/canvas/1.4.6_Release example.
Bigtop, by consuming other's source files does not have that control of the content, so to my mind sha256sums should be sufficient and all modern distros have sha256.
I just wanted to spell out options ;-)
> Getting rid of md5 and sha1 for release artifacts
> -------------------------------------------------
>
> Key: BIGTOP-2109
> URL: https://issues.apache.org/jira/browse/BIGTOP-2109
> Project: Bigtop
> Issue Type: Sub-task
> Components: build
> Affects Versions: 1.0.0
> Reporter: Konstantin Boudnik
> Labels: 1.2.0
> Fix For: backlog
>
>
> As discussed on the dev list [recently| ] it is wise to stop relying on md5 and sha1 sums as they are inherently insecure. [~apurtell] has suggested to use Hbase approach on this by essentially doing
> {code} for i in *.tar.gz; do echo $i; gpg --print-mds $i > $i.mds ; done {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)