www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Takamori (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (INFRA-12626) Drop MD5 and SHA1 hashes for downloads, add SHA2
Date Fri, 23 Sep 2016 16:19:20 GMT

     [ https://issues.apache.org/jira/browse/INFRA-12626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Daniel Takamori updated INFRA-12626:
    Issue Type: Planned Work  (was: Bug)

> Drop MD5 and SHA1 hashes for downloads, add SHA2
> ------------------------------------------------
>                 Key: INFRA-12626
>                 URL: https://issues.apache.org/jira/browse/INFRA-12626
>             Project: Infrastructure
>          Issue Type: Planned Work
>          Components: Buildbot, Dists
>            Reporter: Mike
> On the download pages we provide MD5 and SHA1 hashes of the downloads. For an example,
> https://archive.apache.org/dist/lucene/solr/4.10.4
> These are meant, as I understand it, to serve two purposes. First, they allow you to
make sure that your download succeeded. Second, they allow you to ensure that your download
wasn't tampered with.
> For the first purpose: Great. They work. For the second purpose, however, we need to
move away from MD5 and SHA1 hashes, both of which can now be attacked with relatively modest
> Browsers are moving away from SHA1 at a very fast pace. See:
> https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
> And:
> https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
> I suggest we do the same. MD5 was great, but hasn't been good enough for much for a while.
SHA1 is better, but is on its way out. SHA2 is now where it's at.
> (This issue will probably need help landing in the right components and project -- sorry
about that. I did my best.)

This message was sent by Atlassian JIRA

View raw message