incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jh...@apache.org>
Subject Re: Digests in releases
Date Thu, 31 Aug 2017 18:21:48 GMT
After downloading artifacts, there are 3 things to check: (1) the download is successful; (2)
the artifacts were indeed created by the named author; and (3) the artifacts have not been
tampered with.

A security expert would know to use the .md5 for (1), the .asc for (2), and the .sha256 or
.sha512 for (3).

But we are not all security experts. An ordinary user might use the .md5 for (3), a purpose
that it is not suited for.

If we switch to .sha256 / .sha512 for both (1) and (3) there is one fewer thing that can go
wrong.

Julian


> On Aug 30, 2017, at 4:12 PM, sebb <sebbaz@gmail.com> wrote:
> 
> Surely the main purpose of the hash is to check that the download has
> been successful.
> As such, MD5 is adequate.


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message