incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Schmidt <jogischm...@googlemail.com>
Subject Re: Build and Release Hygiene
Date Tue, 17 Jul 2012 07:33:33 GMT
On 7/17/12 5:43 AM, Fernando Cassia wrote:
> On Mon, Jul 16, 2012 at 12:04 PM, Rob Weir <robweir@apache.org> wrote:
>> or verifying the MD5 hashes.
> 
> SHA1 :)
> 
> ----
> In 2004, more serious flaws were discovered in MD5, making further use
> of the algorithm for security purposes questionable—specifically, a
> group of researchers described how to create a pair of files that
> share the same MD5 checksum.[4][5] Further advances were made in
> breaking MD5 in 2005, 2006, and 2007.[6] In December 2008, a group of
> researchers used this technique to fake SSL certificate
> validity,[7][8] and US-CERT now says that MD5 "should be considered
> cryptographically broken and unsuitable for further use."[9] and most
> U.S. government applications now require the SHA-2 family of hash
> functions
> ----
> http://en.wikipedia.org/wiki/MD5
> 
> FC
> 

well, we have md5, sha1, sha256, sha512 and gpg signature that can be
verified. Ok in the future I will reduce the sha checksums to only one.
But I can't remember which one was required by virus scanners to
identify our official releases, sha256 or sha512?

See for example
http://people.apache.org/~jsc/developer-snapshots/r1359641/macos/

Juergen


Mime
View raw message