lucene-solr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yoav Shapira" <yo...@apache.org>
Subject Re: Re: "correct" format for the md5 files?
Date Fri, 08 Dec 2006 23:22:33 GMT
BTW, for those concerned, there's nothing at the ASF that says you
must use only MD5.  You can add SHA-1 or any other algorithm if you
want.  See Ant for example: they've been doing MD5 and SHA-1 side by
side for years now (http://ant.apache.org/bindownload.cgi)

Yoav

On 12/8/06, Yonik Seeley <yonik@apache.org> wrote:
> On 12/8/06, Chris Hostetter <hossman_lucene@fucit.org> wrote:
> > : It _is_ a valid concern in general (I would never use md5 as a
> > : cryptographic hash, e.g., for passwords), but significantly less of a
> > : concern for this use.  The most important role of the hash is to
> > : ensure no corruption occurred during transfer.
> >
> > Bingo:  We checksum the files with MD5, we sign the files with GPG
>
> And the standard digital signature content hash is defined to be SHA-1
> AFAIK.  And yes, someone has managed to find a way to get collisions
> in SHA1 hashes in less time than it would take to purely guess at
> random.  But let's be serious... for our projects it's going to be far
> easier and cheaper to circumvent the encryption than break it.
>
> When PGP/GPG switch to a different mechanism by default, so will we.
>
> -Yonik
>

Mime
View raw message