www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <steve.lough...@gmail.com>
Subject Re: Summary
Date Wed, 01 Mar 2006 11:39:51 GMT
On 3/1/06, Henk P. Penning <henkp@cs.uu.nl> wrote:
> On Tue, 28 Feb 2006, Henri Yandell wrote:
>
> > Date: Tue, 28 Feb 2006 23:59:21 -0800
> > From: Henri Yandell <flamefew@gmail.com>
> > To: repository@apache.org
> > Subject: Summary
>
> > * jars must be: md5'd, sha1'd, pgp (.asc'd).
>
>   IMHO, it's nonsense to have both md5 and sha1.

MD5 is 0wned, at least in crypto terms; SHA1 is next on the list. It
has a few years left. but md5+SHA1 is more secure. PGP best yet.

One problem all have is they just checksum the file, but in java-land,
signing a jar internally affects the file. So if I sign a file, I've
just changed its sha1 checksum. This isnt relevant for the apache
repositories, but matters in my day work, deployment, where our
runtime uses a secure classloader that only loads signed jars.

steve


-Steve

Mime
View raw message