I'm in the process of computing the sha-512 sums on the over 200,000
files in our active file index. I'll get the new sums listed
alongside the existing ones on the generic "pick a mirror" page
shortly.
Denis
On 05/20/2014 10:40 AM, David M Williams wrote:
Correct. I did open
Bug 423715
- move to SHA2 for p2 metadata publishing (and consumption)
but that won't change for Luna
... and
maybe never ... until there is pressure from some of these
"government
regulations" or something to motivate a a change.
From:
"Sievers, Jan"
<jan.sievers@xxxxxxx>
To:
Cross project issues
<cross-project-issues-dev@xxxxxxxxxxx>,
Date:
05/20/2014 04:23 AM
Subject:
Re:
[cross-project-issues-dev]
Eclipse and Equinox have moved to using SHA-2, 512 bit hashes
for downloads
-- Don't panic!
Sent by:
cross-project-issues-dev-bounces@xxxxxxxxxxx
as far as I got it this is for the eclipse.org
download
pages only.
p2 is still using MD5 for checksums in
artifacts.jar,
see e.g. [1]
Jan
[1] http://download.eclipse.org/releases/luna/201405090900/artifacts.jar
From:
cross-project-issues-dev-bounces@xxxxxxxxxxx
[mailto:cross-project-issues-dev-bounces@xxxxxxxxxxx]
On Behalf Of Matthias Sohn
Sent: Dienstag, 20. Mai 2014 08:33
To: Cross project issues
Cc: General development mailing list of the Eclipse
project.; Equinox
development mailing list
Subject: Re: [cross-project-issues-dev] Eclipse and
Equinox have moved
to using SHA-2, 512 bit hashes for downloads -- Don't panic!
On Tue, May 20, 2014 at 8:20
AM,
David M Williams <david_williams@xxxxxxxxxx>
wrote:
I wanted to be sure everyone knew that
beginning
with tonight's I-build (I20140519-2000), Eclipse and Equinox
have changed
to provide SHA512 hashes for downloadable zips and tar files,
instead of
the previous MD5 and SHA1 hash sums.
See the references in https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1
for why it's a bad idea to continue to rely on MD5 and SHA1.
Our "conversion" and plan is documented in bug 423714
https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714
The disadvantage of using such a large hash is that its not
something you
can "verify" just by "looking at it" ... but ... insecure
is insecure, and it is a pretty easy task to automate (and is a
LOT easier,
once you have done that).
See https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads
for "instructions" and links to tools. Feel free to contribute
to that page if anyone has any "general purpose" scripts that
others could use or know of other tools that would be handy to
know about.
Now -- here's where your feedback is needed -- we'd actually
like to stop
producing the MD5 and SHA1 checksums, say, a month after Luna
release ...
but if if this is just too disruptive or doesn't work for
someone, please
comment in Bug
423714 explaining.
In the mean time, we do not "link" to the old MD5 or SHA1
checksums
from the download page, but they are still there ... right where
they always
were ... to make sure we don't suddenly break someone's scripts
or builds.
And if you do rely on them now, we hope you can convert after
the Luna
release (if not before).
Do feel free to comment in the bug, if this has some negative
consequence
we have not anticipated ... but, my guess is that anyone who
cares about
them in the first place will appreciate the modernization.
My new slogan: Test early, test often, and practice safe
computing!
Thanks,
could you share how platform
generates
SHA512 checksums from Maven / Tycho ?
This would be interesting
for other
projects which want to update their builds as well.
--
Matthias _______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
|