[ALL] SHA-1 vs. SHA-256

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[ALL] SHA-1 vs. SHA-256

garydgregory
Hi All:

Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.

We just updated to SHA-1 which apparently has been subject to a collision
attack [2].

Our newish commons-release-plugin has just been updated to SHA-1.

I'd like to add SHA-256 alongside SHA-1.

Thoughts?

[1]
https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
[2]
https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

sebb-2-2
On 18 May 2018 at 16:30, Gary Gregory <[hidden email]> wrote:

> Hi All:
>
> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>
> We just updated to SHA-1 which apparently has been subject to a collision
> attack [2].
>
> Our newish commons-release-plugin has just been updated to SHA-1.
>
> I'd like to add SHA-256 alongside SHA-1.
>
> Thoughts?

Does Nexus support SHA-256?

ISTR that there were some issues with it.

> [1]
> https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
> [2]
> https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

garydgregory
On Fri, May 18, 2018 at 9:36 AM, sebb <[hidden email]> wrote:

> On 18 May 2018 at 16:30, Gary Gregory <[hidden email]> wrote:
> > Hi All:
> >
> > Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> >
> > We just updated to SHA-1 which apparently has been subject to a collision
> > attack [2].
> >
> > Our newish commons-release-plugin has just been updated to SHA-1.
> >
> > I'd like to add SHA-256 alongside SHA-1.
> >
> > Thoughts?
>
> Does Nexus support SHA-256?
>
> ISTR that there were some issues with it.
>

Hard to say without trying:
- No: https://issues.sonatype.org/browse/NEXUS-5881
- Yes:
https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes

_But_, it would be a start to include SHA-256 in VOTE emails, which I am
working on with Rob to generate based on a template.

That would give RC reviewers the opportunity to validate RC downloads from
dist with SHA-1 or SHA-256.

Gary


> > [1]
> > https://www.eclipse.org/eclipse/news/4.8/platform_isv.
> php#equinox-sha-256-checksum
> > [2]
> > https://arstechnica.com/information-technology/2017/
> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

Rob Tompkins


> On May 18, 2018, at 11:42 AM, Gary Gregory <[hidden email]> wrote:
>
>> On Fri, May 18, 2018 at 9:36 AM, sebb <[hidden email]> wrote:
>>
>>> On 18 May 2018 at 16:30, Gary Gregory <[hidden email]> wrote:
>>> Hi All:
>>>
>>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>>>
>>> We just updated to SHA-1 which apparently has been subject to a collision
>>> attack [2].
>>>
>>> Our newish commons-release-plugin has just been updated to SHA-1.
>>>
>>> I'd like to add SHA-256 alongside SHA-1.
>>>
>>> Thoughts?
>>
>> Does Nexus support SHA-256?
>>
>> ISTR that there were some issues with it.
>>
>
> Hard to say without trying:
> - No: https://issues.sonatype.org/browse/NEXUS-5881
> - Yes:
> https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes
>
> _But_, it would be a start to include SHA-256 in VOTE emails, which I am
> working on with Rob to generate based on a template.
>
> That would give RC reviewers the opportunity to validate RC downloads from
> dist with SHA-1 or SHA-256.

If it’s only the release artifacts (tars/zips), that’s easy. If it’s the “convenience artifacts,” then I’m not sure. I think maven or nexus generates those under the hood which gives us less control.

-Rob

>
> Gary
>
>
>>> [1]
>>> https://www.eclipse.org/eclipse/news/4.8/platform_isv.
>> php#equinox-sha-256-checksum
>>> [2]
>>> https://arstechnica.com/information-technology/2017/
>> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

garydgregory
On Fri, May 18, 2018 at 9:56 AM, Rob Tompkins <[hidden email]> wrote:

>
>
> > On May 18, 2018, at 11:42 AM, Gary Gregory <[hidden email]>
> wrote:
> >
> >> On Fri, May 18, 2018 at 9:36 AM, sebb <[hidden email]> wrote:
> >>
> >>> On 18 May 2018 at 16:30, Gary Gregory <[hidden email]> wrote:
> >>> Hi All:
> >>>
> >>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> >>>
> >>> We just updated to SHA-1 which apparently has been subject to a
> collision
> >>> attack [2].
> >>>
> >>> Our newish commons-release-plugin has just been updated to SHA-1.
> >>>
> >>> I'd like to add SHA-256 alongside SHA-1.
> >>>
> >>> Thoughts?
> >>
> >> Does Nexus support SHA-256?
> >>
> >> ISTR that there were some issues with it.
> >>
> >
> > Hard to say without trying:
> > - No: https://issues.sonatype.org/browse/NEXUS-5881
> > - Yes:
> > https://books.sonatype.com/nexus-book/3.4/reference/
> using.html#_search_criteria_and_component_attributes
> >
> > _But_, it would be a start to include SHA-256 in VOTE emails, which I am
> > working on with Rob to generate based on a template.
> >
> > That would give RC reviewers the opportunity to validate RC downloads
> from
> > dist with SHA-1 or SHA-256.
>
> If it’s only the release artifacts (tars/zips), that’s easy. If it’s the
> “convenience artifacts,” then I’m not sure. I think maven or nexus
> generates those under the hood which gives us less control.
>

I'll just make the release plugin generate a sha256.properties file like we
do a sha1.properties file. Let's leave Nexus aside for now...

Gary

>
> -Rob
>
> >
> > Gary
> >
> >
> >>> [1]
> >>> https://www.eclipse.org/eclipse/news/4.8/platform_isv.
> >> php#equinox-sha-256-checksum
> >>> [2]
> >>> https://arstechnica.com/information-technology/2017/
> >> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

Bruno P. Kinoshita-2
In reply to this post by garydgregory
No objections from me. +1

Sent from Yahoo Mail on Android
 
  On Sat, 19 May 2018 at 9:24, Gary Gregory<[hidden email]> wrote:   Hi All:

Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.

We just updated to SHA-1 which apparently has been subject to a collision
attack [2].

Our newish commons-release-plugin has just been updated to SHA-1.

I'd like to add SHA-256 alongside SHA-1.

Thoughts?

[1]
https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
[2]
https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
 
Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

Adam Soroka
+1

ajs6f

> On May 18, 2018, at 5:50 PM, Bruno P. Kinoshita <[hidden email]> wrote:
>
> No objections from me. +1
>
> Sent from Yahoo Mail on Android
>
>  On Sat, 19 May 2018 at 9:24, Gary Gregory<[hidden email]> wrote:   Hi All:
>
> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
>
> We just updated to SHA-1 which apparently has been subject to a collision
> attack [2].
>
> Our newish commons-release-plugin has just been updated to SHA-1.
>
> I'd like to add SHA-256 alongside SHA-1.
>
> Thoughts?
>
> [1]
> https://www.eclipse.org/eclipse/news/4.8/platform_isv.php#equinox-sha-256-checksum
> [2]
> https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

Emmanuel Bourg-3
In reply to this post by garydgregory
On 18/05/2018 17:30, Gary Gregory wrote:

> Thoughts?

I wouldn't bother. The checksum is just there to ensure the download
worked properly, and for this even md5 is fine.

The authenticity of the artifacts is ensured by the GPG signatures.

Emmanuel Bourg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

Adam Soroka
> On May 19, 2018, at 5:34 AM, Emmanuel Bourg <[hidden email]> wrote:
> On 18/05/2018 17:30, Gary Gregory wrote:
>
>> Thoughts?
>
> I wouldn't bother. The checksum is just there to ensure the download worked properly, and for this even md5 is fine.
>
> The authenticity of the artifacts is ensured by the GPG signatures.
>
> Emmanuel Bourg

True, but there's a considerable portion of users who check the checksums and nothing else.

ajs6f


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [ALL] SHA-1 vs. SHA-256

garydgregory
On Sat, May 19, 2018 at 6:38 AM, ajs6f <[hidden email]> wrote:

> > On May 19, 2018, at 5:34 AM, Emmanuel Bourg <[hidden email]> wrote:
> > On 18/05/2018 17:30, Gary Gregory wrote:
> >
> >> Thoughts?
> >
> > I wouldn't bother. The checksum is just there to ensure the download
> worked properly, and for this even md5 is fine.
> >
> > The authenticity of the artifacts is ensured by the GPG signatures.
> >
> > Emmanuel Bourg
>
> True, but there's a considerable portion of users who check the checksums
> and nothing else.
>

The Commons release plugin in git master now has a goal that generates a
target/VOTE.txt file which includes both SHA-1 and SHA-256 hashes.

Gary


> ajs6f
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>