www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike (JIRA)" <j...@apache.org>
Subject [jira] [Created] (INFRA-12626) Drop MD5 and SHA1 hashes for downloads, add SHA2
Date Fri, 16 Sep 2016 23:54:20 GMT
Mike created INFRA-12626:
----------------------------

             Summary: Drop MD5 and SHA1 hashes for downloads, add SHA2
                 Key: INFRA-12626
                 URL: https://issues.apache.org/jira/browse/INFRA-12626
             Project: Infrastructure
          Issue Type: Bug
          Components: Buildbot, Dists
            Reporter: Mike


On the download pages we provide MD5 and SHA1 hashes of the downloads. For an example, see:

https://archive.apache.org/dist/lucene/solr/4.10.4/solr-4.10.4.tgz

These are meant, as I understand it, to serve two purposes. First, they allow you to make
sure that your download succeeded. Second, they allow you to ensure that your download wasn't
tampered with.

For the first purpose: Great. They work. For the second purpose, however, we need to move
away from MD5 and SHA1 hashes, both of which can now be attacked with relatively modest hardware.


Browsers are moving away from SHA1 at a very fast pace. See:

https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

And:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

I suggest we do the same. MD5 was great, but hasn't been good enough for much for a while.
SHA1 is better, but is on its way out. SHA2 is now where it's at.

(This issue will probably need help landing in the right components and project -- sorry about
that. I did my best.)





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message