On Tue, May 20, 2014 at 8:20 AM, David M Williams <[email protected] > wrote:
> I wanted to be sure everyone knew that beginning with tonight's I-build > (I20140519-2000), Eclipse and Equinox have changed to provide SHA512 hashes > for downloadable zips and tar files, instead of the previous MD5 and SHA1 > hash sums. > > See the references in > https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1 for why it's a > bad idea to continue to rely on MD5 and SHA1. > > Our "conversion" and plan is documented in bug 423714 > https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714 > > The disadvantage of using such a large hash is that its not something you > can "verify" just by "looking at it" ... but ... insecure is insecure, and > it is a pretty easy task to automate (and is a LOT easier, once you have > done that). > > See > https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloadsfor > "instructions" and links to tools. Feel free to contribute to that page > if anyone has any "general purpose" scripts that others could use or know > of other tools that would be handy to know about. > > Now -- here's where your feedback is needed -- we'd actually like to stop > producing the MD5 and SHA1 checksums, say, a month after Luna release ... > but if if this is just too disruptive or doesn't work for someone, please > comment in *Bug 423714*<https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714> > explaining. > In the mean time, we do not "link" to the old MD5 or SHA1 checksums from > the download page, but they are still there ... right where they always > were ... to make sure we don't suddenly break someone's scripts or builds. > And if you do rely on them now, we hope you can convert after the Luna > release (if not before). > > Do feel free to comment in the bug, if this has some negative consequence > we have not anticipated ... but, my guess is that anyone who cares about > them in the first place will appreciate the modernization. > > My new slogan: Test early, test often, and practice safe computing! > > Thanks, could you share how platform generates SHA512 checksums from Maven / Tycho ? This would be interesting for other projects which want to update their builds as well. -- Matthias
_______________________________________________ cross-project-issues-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
