You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Julian Reschke (JIRA)" <ji...@apache.org> on 2017/07/13 11:07:00 UTC
[jira] [Commented] (OAK-5827) Don't use SHA-1 for new DataStore
binaries
[ https://issues.apache.org/jira/browse/OAK-5827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16085539#comment-16085539 ]
Julian Reschke commented on OAK-5827:
-------------------------------------
[~amitjain] - once we upgrade to Jackrabbit 2.14.2 (OAK-6442) we'll need this applied to 1.6 as well. Should I take over and do both?
> Don't use SHA-1 for new DataStore binaries
> ------------------------------------------
>
> Key: OAK-5827
> URL: https://issues.apache.org/jira/browse/OAK-5827
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Reporter: Thomas Mueller
> Assignee: Amit Jain
> Labels: candidate_oak_1_0, candidate_oak_1_2, candidate_oak_1_4, candidate_oak_1_6
> Fix For: 1.7.0, 1.8
>
> Attachments: OAK-5827b.patch, OAK-5827.patch
>
>
> A [collision for SHA-1|https://www.schneier.com/blog/archives/2017/02/sha-1_collision.html] has been published. We still use SHA-1 for the FileDataStore, and I believe the S3 DataStore right now. Given there is a collision, we should switch to a stronger algorithm, for example SHA-256, for new binaries.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)