You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by Gary Gregory <ga...@gmail.com> on 2018/05/18 15:30:45 UTC

[ALL] SHA-1 vs. SHA-256

Hi All:

Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.

We just updated to SHA-1 which apparently has been subject to a collision
attack [2].

Our newish commons-release-plugin has just been updated to SHA-1.

I'd like to add SHA-256 alongside SHA-1.

Thoughts?

[1]
https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
[2]
https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

Re: [ALL] SHA-1 vs. SHA-256

Posted by Gary Gregory <ga...@gmail.com>.

On Fri, May 18, 2018 at 9:56 AM, Rob Tompkins <ch...@gmail.com> wrote:

>
>
> > On May 18, 2018, at 11:42 AM, Gary Gregory <ga...@gmail.com>
> wrote:
> >
> >> On Fri, May 18, 2018 at 9:36 AM, sebb <se...@gmail.com> wrote:
> >>
> >>> On 18 May 2018 at 16:30, Gary Gregory <ga...@gmail.com> wrote:
> >>> Hi All:
> >>>
> >>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> >>>
> >>> We just updated to SHA-1 which apparently has been subject to a
> collision
> >>> attack [2].
> >>>
> >>> Our newish commons-release-plugin has just been updated to SHA-1.
> >>>
> >>> I'd like to add SHA-256 alongside SHA-1.
> >>>
> >>> Thoughts?
> >>
> >> Does Nexus support SHA-256?
> >>
> >> ISTR that there were some issues with it.
> >>
> >
> > Hard to say without trying:
> > - No: https://issues.sonatype.org/browse/NEXUS-5881
> > - Yes:
> > https://books.sonatype.com/nexus-book/3.4/reference/
> using.html#_search_criteria_and_component_attributes
> >
> > _But_, it would be a start to include SHA-256 in VOTE emails, which I am
> > working on with Rob to generate based on a template.
> >
> > That would give RC reviewers the opportunity to validate RC downloads
> from
> > dist with SHA-1 or SHA-256.
>
> If it’s only the release artifacts (tars/zips), that’s easy. If it’s the
> “convenience artifacts,” then I’m not sure. I think maven or nexus
> generates those under the hood which gives us less control.
>

I'll just make the release plugin generate a sha256.properties file like we
do a sha1.properties file. Let's leave Nexus aside for now...

Gary

>
> -Rob
>
> >
> > Gary
> >
> >
> >>> [1]
> >>> https://www.eclipse.org/eclipse/news/4.8/platform_isv.
> >> php#equinox-sha-256-checksum
> >>> [2]
> >>> https://arstechnica.com/information-technology/2017/
> >> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: [ALL] SHA-1 vs. SHA-256

Posted by Rob Tompkins <ch...@gmail.com>.


> On May 18, 2018, at 11:42 AM, Gary Gregory <ga...@gmail.com> wrote:
> 
>> On Fri, May 18, 2018 at 9:36 AM, sebb <se...@gmail.com> wrote:
>> 
>>> On 18 May 2018 at 16:30, Gary Gregory <ga...@gmail.com> wrote:
>>> Hi All:
>>> 
>>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>>> 
>>> We just updated to SHA-1 which apparently has been subject to a collision
>>> attack [2].
>>> 
>>> Our newish commons-release-plugin has just been updated to SHA-1.
>>> 
>>> I'd like to add SHA-256 alongside SHA-1.
>>> 
>>> Thoughts?
>> 
>> Does Nexus support SHA-256?
>> 
>> ISTR that there were some issues with it.
>> 
> 
> Hard to say without trying:
> - No: https://issues.sonatype.org/browse/NEXUS-5881
> - Yes:
> https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes
> 
> _But_, it would be a start to include SHA-256 in VOTE emails, which I am
> working on with Rob to generate based on a template.
> 
> That would give RC reviewers the opportunity to validate RC downloads from
> dist with SHA-1 or SHA-256.

If it’s only the release artifacts (tars/zips), that’s easy. If it’s the “convenience artifacts,” then I’m not sure. I think maven or nexus generates those under the hood which gives us less control. 

-Rob

> 
> Gary
> 
> 
>>> [1]
>>> https://www.eclipse.org/eclipse/news/4.8/platform_isv.
>> php#equinox-sha-256-checksum
>>> [2]
>>> https://arstechnica.com/information-technology/2017/
>> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>> 
>> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [ALL] SHA-1 vs. SHA-256

Posted by Gary Gregory <ga...@gmail.com>.

On Fri, May 18, 2018 at 9:36 AM, sebb <se...@gmail.com> wrote:

> On 18 May 2018 at 16:30, Gary Gregory <ga...@gmail.com> wrote:
> > Hi All:
> >
> > Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> >
> > We just updated to SHA-1 which apparently has been subject to a collision
> > attack [2].
> >
> > Our newish commons-release-plugin has just been updated to SHA-1.
> >
> > I'd like to add SHA-256 alongside SHA-1.
> >
> > Thoughts?
>
> Does Nexus support SHA-256?
>
> ISTR that there were some issues with it.
>

Hard to say without trying:
- No: https://issues.sonatype.org/browse/NEXUS-5881
- Yes:
https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes

_But_, it would be a start to include SHA-256 in VOTE emails, which I am
working on with Rob to generate based on a template.

That would give RC reviewers the opportunity to validate RC downloads from
dist with SHA-1 or SHA-256.

Gary


> > [1]
> > https://www.eclipse.org/eclipse/news/4.8/platform_isv.
> php#equinox-sha-256-checksum
> > [2]
> > https://arstechnica.com/information-technology/2017/
> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: [ALL] SHA-1 vs. SHA-256

Posted by sebb <se...@gmail.com>.

On 18 May 2018 at 16:30, Gary Gregory <ga...@gmail.com> wrote:
> Hi All:
>
> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>
> We just updated to SHA-1 which apparently has been subject to a collision
> attack [2].
>
> Our newish commons-release-plugin has just been updated to SHA-1.
>
> I'd like to add SHA-256 alongside SHA-1.
>
> Thoughts?

Does Nexus support SHA-256?

ISTR that there were some issues with it.

> [1]
> https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
> [2]
> https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [ALL] SHA-1 vs. SHA-256

Posted by ajs6f <aj...@apache.org>.

+1

ajs6f

> On May 18, 2018, at 5:50 PM, Bruno P. Kinoshita <ki...@apache.org> wrote:
> 
> No objections from me. +1
> 
> Sent from Yahoo Mail on Android 
> 
>  On Sat, 19 May 2018 at 9:24, Gary Gregory<ga...@gmail.com> wrote:   Hi All:
> 
> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> 
> We just updated to SHA-1 which apparently has been subject to a collision
> attack [2].
> 
> Our newish commons-release-plugin has just been updated to SHA-1.
> 
> I'd like to add SHA-256 alongside SHA-1.
> 
> Thoughts?
> 
> [1]
> https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
> [2]
> https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [ALL] SHA-1 vs. SHA-256

Posted by "Bruno P. Kinoshita" <ki...@apache.org>.

No objections from me. +1

Sent from Yahoo Mail on Android 
 
  On Sat, 19 May 2018 at 9:24, Gary Gregory<ga...@gmail.com> wrote:   Hi All:

Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.

We just updated to SHA-1 which apparently has been subject to a collision
attack [2].

Our newish commons-release-plugin has just been updated to SHA-1.

I'd like to add SHA-256 alongside SHA-1.

Thoughts?

[1]
https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
[2]
https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

Re: [ALL] SHA-1 vs. SHA-256

Posted by Gary Gregory <ga...@gmail.com>.

On Sat, May 19, 2018 at 6:38 AM, ajs6f <aj...@apache.org> wrote:

> > On May 19, 2018, at 5:34 AM, Emmanuel Bourg <eb...@apache.org> wrote:
> > On 18/05/2018 17:30, Gary Gregory wrote:
> >
> >> Thoughts?
> >
> > I wouldn't bother. The checksum is just there to ensure the download
> worked properly, and for this even md5 is fine.
> >
> > The authenticity of the artifacts is ensured by the GPG signatures.
> >
> > Emmanuel Bourg
>
> True, but there's a considerable portion of users who check the checksums
> and nothing else.
>

The Commons release plugin in git master now has a goal that generates a
target/VOTE.txt file which includes both SHA-1 and SHA-256 hashes.

Gary


> ajs6f
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Re: [ALL] SHA-1 vs. SHA-256

Posted by ajs6f <aj...@apache.org>.

> On May 19, 2018, at 5:34 AM, Emmanuel Bourg <eb...@apache.org> wrote:
> On 18/05/2018 17:30, Gary Gregory wrote:
> 
>> Thoughts?
> 
> I wouldn't bother. The checksum is just there to ensure the download worked properly, and for this even md5 is fine.
> 
> The authenticity of the artifacts is ensured by the GPG signatures.
> 
> Emmanuel Bourg

True, but there's a considerable portion of users who check the checksums and nothing else. 

ajs6f


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org

Re: [ALL] SHA-1 vs. SHA-256

Posted by Emmanuel Bourg <eb...@apache.org>.

On 18/05/2018 17:30, Gary Gregory wrote:

> Thoughts?

I wouldn't bother. The checksum is just there to ensure the download
worked properly, and for this even md5 is fine.

The authenticity of the artifacts is ensured by the GPG signatures.

Emmanuel Bourg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org