> El 30 oct 2017, a las 20:47, Matthias Bläsing <mblaesing@doppel-helix.eu> escribió:
>
> Hey,
>
> Am Montag, den 30.10.2017, 20:02 +0100 schrieb Antonio Vieiro:
>>>> On the other hand during review of HTML/Java API I had to remove download
>>>> from google Maven repository - it was seen as untrusted. I assume the same
>>>> will be said about the eclipse repository.
>>>
>>> I don't follow that argument. The trust basis is the SHA1 hash that is
>>> checked at download time. At this point in time I consider SHA1 as a
>>> save basis and thus I don't care if the binary comes from maven centra,
>>> the eclipse repository or whatever.
>>
>> Untrusted because missing https certificates, maybe?
>>
>> The DownloadBinaries.java ant task currently uses plain http, so no worries about
https certificates (but we could use a custom SSLSocketFactory with some certs if required).
>>
>
> Please see the DownloadBinaries#doDownload method. The download is done
> and after that the file hash is compared with the reference from the
> binaries-list.
I agree with you that the SHA1 is enough. I meant that maybe Yaroslav was talking about “untrusted
HTTPS” connections.
Cheers,
Antonio
>
> So you'd need to create a SHA1 collision to inject code when
> downloading. While theoretically possible, I'd currently not think
> about the problem.
>
> We should think about making the hashing extendable, so that we can
> later switch to saver hashing algorithms.
>
> Greetings
>
> Matthias
|