[jira] [Commented] (BIGTOP-2109) Getting rid of md5 and sha1 for release artifacts

["Peter Linnell (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/BIGTOP-2109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15211449#comment-15211449 ] 

Peter Linnell commented on BIGTOP-2109:
---------------------------------------

Do we have a gpg key specific to signing things or do we appoint someone to use their personal key and have that key signed by several PMC's top establish a web of trust ?

With Scribus, where I have been manually signing releases, this has been a manual task.  One reason we use gpg is we have 100% control of all source files.

We have, in recent releases, been providing sha256sums. https://wiki.scribus.net/canvas/1.4.6_Release example.

Bigtop, by consuming other's source files does not have that control of the content, so to my mind sha256sums should be sufficient and all modern distros have sha256.

I just wanted to spell out options ;-)



> Getting rid of md5 and sha1 for release artifacts
> -------------------------------------------------
>
>                 Key: BIGTOP-2109
>                 URL: https://issues.apache.org/jira/browse/BIGTOP-2109
>             Project: Bigtop
>          Issue Type: Sub-task
>          Components: build
>    Affects Versions: 1.0.0
>            Reporter: Konstantin Boudnik
>              Labels: 1.2.0
>             Fix For: backlog
>
>
> As discussed on the dev list [recently| ] it is wise to stop relying on md5 and sha1 sums as they are inherently insecure. [~apurtell] has suggested to use Hbase approach on this by essentially doing
> {code} for i in *.tar.gz; do echo $i; gpg --print-mds $i > $i.mds ; done {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)