Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic!

On Tue, May 20, 2014 at 8:20 AM, David M Williams <david_williams@xxxxxxxxxx> wrote:
I wanted to be sure everyone knew that beginning with tonight's I-build (I20140519-2000), Eclipse and Equinox have changed to provide SHA512 hashes for downloadable zips and tar files, instead of the previous MD5 and SHA1 hash sums.

See the references in https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1 for why it's a bad idea to continue to rely on MD5 and SHA1.

Our "conversion" and plan is documented in bug 423714
https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714

The disadvantage of using such a large hash is that its not something you can "verify" just by "looking at it" ... but ... insecure is insecure, and it is a pretty easy task to automate (and is a LOT easier, once you have done that).  

See https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads for "instructions" and links to tools. Feel free to contribute to that page if anyone has any "general purpose" scripts that others could use or know of other tools that would be handy to know about.

Now -- here's where your feedback is needed -- we'd actually like to stop producing the MD5 and SHA1 checksums, say, a month after Luna release ... but if if this is just too disruptive or doesn't work for someone, please comment in Bug 423714 explaining. In the mean time, we do not "link" to the old MD5 or SHA1 checksums from the download page, but they are still there ... right where they always were ... to make sure we don't suddenly break someone's scripts or builds. And if you do rely on them now, we hope you can convert after the Luna release (if not before).  

Do feel free to comment in the bug, if this has some negative consequence we have not anticipated ... but, my guess is that anyone who cares about them in the first place will appreciate the modernization.

My new slogan: Test early, test often, and practice safe computing!

Thanks,

could you share how platform generates SHA512 checksums from Maven / Tycho ? 
This would be interesting for other projects which want to update their builds as well.

--
Matthias 

Back to the top