There is no Security risk with weaker checksums since the checksums are not
used for security. An attacker who messes with your binaries can also mess with
the checksum files. Only the signatures are relevant here (and they depend on
the PGP settings if they use strong hashes).
And even the bro
On Wed, Oct 13, 2021 at 2:10 PM Michael Osipov wrote:
> Hi Mickael,
>
Hi Michael,
>
> this is an overly complex topic I'd like to explain.
> First of all Wagon is not involved in this. It does the physical
> transport. The payload is opaque. SHA, MD5 aren't verifying any
> signatures, it is jus
Am 2021-10-13 um 12:10 schrieb Mickael Istria:
Hi all,
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
doesn't contain a "safe
Might be helpful:
https://checksum-maven-plugin.nicoulaj.net/examples/using-custom-checksum-algorithms.html
Delany
On Wed, 13 Oct 2021 at 12:10, Mickael Istria wrote:
> Hi all,
>
> While I'm investigating into Maven code to allow re-using checksums of
> Maven artifacts when "p2-ifying" them with
Hi all,
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
doesn't contain a "safe" digest signature either.
In this world of suppl
