On Thu, Aug 31, 2017 at 3:15 PM, Henk P. Penning wrote:
> -- SHA-1 : not as bad as MD5, but no longer considered secure
> by some ; https://en.wikipedia.org/wiki/SHA-1 ; skip
> -- SHA-256 : fine
> -- SHA-512 : fine
>
> So, I would suggest we pick SHA-256...
+1
-Bertrand
---
nk P. Penning wrote:
> On Fri, 1 Sep 2017, Christopher wrote:
>
> > Date: Fri, 1 Sep 2017 03:29:58 +0200
> > From: Christopher
> > To: general@incubator.apache.org
> > Subject: Re: Digests in releases
> >
> > On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wr
On Fri, 1 Sep 2017, Christopher wrote:
Date: Fri, 1 Sep 2017 03:29:58 +0200
From: Christopher
To: general@incubator.apache.org
Subject: Re: Digests in releases
On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wrote:
What is the correct forum for discussing release distribution policy?
Good
Dave Fisher wrote on Thu, 31 Aug 2017 13:35 -0700:
> Regardless of what Jane User knows, and we have 200 million Jane Users of
> Apache OpenOffice, I think it would be helpful to have an Apache Download
> checker program/script that could be run to confirm the bonafides.
>
> An idea.
Why stop h
Hey Joe,
Thanks for the pointer. I think Henk needs to be involved.
Regards,
Dave
Sent from my iPhone
> On Aug 31, 2017, at 3:31 PM, Joe Schaefer wrote:
>
> Henk's scripting does that and much more.
>
>> On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning wrote:
>>
>> I thought that gpg does that.
On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wrote:
> What is the correct forum for discussing release distribution policy?
>
>
Good question. I hope it's this one, since this is where the discussion is
happening.
> Current policy [1] states:
>
> Every artifact distributed to the public throu
Henk's scripting does that and much more.
On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning wrote:
> I thought that gpg does that.
>
> On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher
> wrote:
>
> > Regardless of what Jane User knows, and we have 200 million Jane Users of
> > Apache OpenOffice, I think i
I thought that gpg does that.
On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher wrote:
> Regardless of what Jane User knows, and we have 200 million Jane Users of
> Apache OpenOffice, I think it would be helpful to have an Apache Download
> checker program/script that could be run to confirm the bona
Regardless of what Jane User knows, and we have 200 million Jane Users of
Apache OpenOffice, I think it would be helpful to have an Apache Download
checker program/script that could be run to confirm the bonafides.
An idea.
Regards,
Dave
> On Aug 31, 2017, at 1:22 PM, Julian Hyde wrote:
>
>
I know this. You know this. Joe User does not know this. I am trying to make
Joe User’s life easier.
Since SHA256 is sufficient for both purposes why does release policy MANDATE
that projects include an MD5?
Julian
> On Aug 31, 2017, at 1:17 PM, Ted Dunning wrote:
>
> The checksum is not a
The checksum is not a tampering countermeasure.
It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
countermeasure.
On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde wrote:
> As security experts, you and I know that. But Joe User maybe only checks
> one digest.
>
> (Aren’t we
As security experts, you and I know that. But Joe User maybe only checks one
digest.
(Aren’t we all Joe User sometimes?)
Julian
> On Aug 31, 2017, at 11:30 AM, Mike Jumper wrote:
>
> On Aug 31, 2017 11:21, "Julian Hyde" wrote:
>
> After downloading artifacts, there are 3 things to check: (1
On Aug 31, 2017 11:21, "Julian Hyde" wrote:
After downloading artifacts, there are 3 things to check: (1) the download
is successful; (2) the artifacts were indeed created by the named author;
and (3) the artifacts have not been tampered with.
A security expert would know to use the .md5 for (1)
After downloading artifacts, there are 3 things to check: (1) the download is
successful; (2) the artifacts were indeed created by the named author; and (3)
the artifacts have not been tampered with.
A security expert would know to use the .md5 for (1), the .asc for (2), and the
.sha256 or .sha
On Wed, 30 Aug 2017, Julian Hyde wrote:
Date: Wed, 30 Aug 2017 14:08:42 -0700
From: Julian Hyde
To: general@incubator.apache.org
Subject: Digests in releases
What is the correct forum for discussing release distribution policy?
MD5 is no longer deemed secure[2]. I think we should remove it
On 30 August 2017 at 22:08, Julian Hyde wrote:
> What is the correct forum for discussing release distribution policy?
>
> Current policy [1] states:
>
> Every artifact distributed to the public through Apache channels MUST
> be accompanied by one file containing an OpenPGP compatible ASCII
>
16 matches
Mail list logo
