On 19/02/2015 16:24, Samuel Gaist wrote: > On 19 févr. 2015, at 16:05, Bo Thorsen <b...@vikingsoft.eu> wrote: > >> On 02/19/2015 02:36 PM, Jérôme Pinguet wrote: >>> Hello! >>> >>> Would it be possible to add sha256 (and/or sha512) checksums to the Qt >>> 4.8.6 download page [1]? >>> >>> md5 checksums are easily forged in a few days with a couple of GPUs. In >>> a post-Snowden era, to avoid security issues with downloads on a page >>> that is not https by default, using sha2 (sha256 for instance) is necessary. >>> >>> Other security enhancements suggested: >>> >>> * make https default for download pages >>> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6) >>> file with a well known Qt developper's GPG key >>> >>> Thank you for helping all of us improve security and fight malware >>> through the use of up-to-date and secure hashing algorithms! :-) >>> >>> [1] http://download.qt.io/archive/qt/4.8/4.8.6/ >> There's a very clear rule in 4.8: No new features are allowed. It's >> pretty much only security fixes that will find it's way to this. Perhaps >> some bug fixes as well. >> >> So no, you won't get this for a 4.8 based application. >> >> Your options are to upgrade Qt to 5.x (which you probably chose not to >> for some reason) or to implement it yourself. >> >> If you need this for a 4.8 based application, you can just create your >> own Qt patch and build Qt yourself with it. It shouldn't be difficult to >> port the code from the 5.x sources to 4.8. >> >> Bo Thorsen, >> Director, Viking Software. >> >> -- >> Viking Software >> Qt and C++ developers for hire >> http://www.vikingsoft.eu >> _______________________________________________ > Hi, > > @Bo > I think the OP was just asking to add the information on the download page > and secure it using https > > @Jérome > It's available in the "Details" for each download Ok. Thank you very much! One should always check for the details before complaining... ;-)
I still have a few complaints though: no https by default and no GPG authentication of the checksums. Firefox complains about the https version of the page because a few elements are note served through https... Putting sha256 in the forefront instead of md5 would be a good idea too I guess. I hope someone in charge of the security at Qt reads this and takes action. :-)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Interest mailing list Interest@qt-project.org http://lists.qt-project.org/mailman/listinfo/interest
