OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ALL] SHA-1 vs. SHA-256


On Fri, May 18, 2018 at 9:36 AM, sebb <sebbaz@xxxxxxxxx> wrote:

> On 18 May 2018 at 16:30, Gary Gregory <garydgregory@xxxxxxxxx> wrote:
> > Hi All:
> >
> > Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5.
> >
> > We just updated to SHA-1 which apparently has been subject to a collision
> > attack [2].
> >
> > Our newish commons-release-plugin has just been updated to SHA-1.
> >
> > I'd like to add SHA-256 alongside SHA-1.
> >
> > Thoughts?
>
> Does Nexus support SHA-256?
>
> ISTR that there were some issues with it.
>

Hard to say without trying:
- No: https://issues.sonatype.org/browse/NEXUS-5881
- Yes:
https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes

_But_, it would be a start to include SHA-256 in VOTE emails, which I am
working on with Rob to generate based on a template.

That would give RC reviewers the opportunity to validate RC downloads from
dist with SHA-1 or SHA-256.

Gary


> > [1]
> > https://www.eclipse.org/eclipse/news/4.8/platform_isv.
> php#equinox-sha-256-checksum
> > [2]
> > https://arstechnica.com/information-technology/2017/
> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
> For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx
>
>