On Fri, Jan 27, 2017 at 6:04 PM, Rich Bowen wrote:
> ...If you feel strongly about it, go make better hashes
> for the project(s) you care about. Show us how it's done...
+1, a blog post explaining what projects need to change would be
useful, as a single URL that people can be pointed to to unde
On 01/26/2017 01:20 PM, Mike Lissner wrote:
> I filed a bug about this already, but I've been directed to email here
> instead. The bug I filed is:
> https://issues.apache.org/jira/browse/INFRA-12626
>
> Basically, on download pages we provide obsolete hashes for our downloads
> (MD5 and SHA1). Th
Yes, hashes etc are not replicated to mirrors; I think this is partly
to encourage people to download them from the ASF hardware.
However a rogue mirror could still provide its own hashes.
But hashes from ASF hardware still only provide a basic download
check; they don't provide authentication, be
Infra does filter filenames that match (*.sha256) from the mirror
replication, so it is possible
to use such names and have matching behavior:
Compare mirror: http://apache.cs.utah.edu/orc/orc-1.2.3/
Apache version: http://www-eu.apache.org/dist/orc/orc-1.2.3/
and you can see the sha256 files are
To be clear, those "trusted signatures" should be using strong hash
algorithms themselves. (As well as sufficiently long keys.)
I raised the issue of weak hashes in GPG signatures for Maven projects at
ASF with https://issues.apache.org/jira/browse/MPOM-118 , but non-Maven
projects which manually s
SHA1 and MD5 have been individually compromised, but a combined hash has
not been.
Regardless, Sebb's comment that hashes are worthless for authentication and
tamper-detection is spot-on. You have to look to trusted signatures for
that.
On Thu, Jan 26, 2017 at 10:20 AM, Mike Lissner <
mliss...@
On 26 January 2017 at 18:20, Mike Lissner
wrote:
> I filed a bug about this already, but I've been directed to email here
> instead. The bug I filed is:
> https://issues.apache.org/jira/browse/INFRA-12626
>
> Basically, on download pages we provide obsolete hashes for our downloads
> (MD5 and SHA1
I filed a bug about this already, but I've been directed to email here
instead. The bug I filed is:
https://issues.apache.org/jira/browse/INFRA-12626
Basically, on download pages we provide obsolete hashes for our downloads
(MD5 and SHA1). These are meant, as I understand it, to serve two purposes
