Correct. I did open Bug 423715 - move to SHA2 for p2 metadata publishing (and consumption) but that won't change for Luna ... and maybe never ... until there is pressure from some of these "government regulations" or something to motivate a a change.
From: "Sievers, Jan" <jan.siev...@sap.com> To: Cross project issues <cross-project-issues-dev@eclipse.org>, Date: 05/20/2014 04:23 AM Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic! Sent by: cross-project-issues-dev-boun...@eclipse.org as far as I got it this is for the eclipse.org download pages only. p2 is still using MD5 for checksums in artifacts.jar, see e.g. [1] Jan [1] http://download.eclipse.org/releases/luna/201405090900/artifacts.jar From: cross-project-issues-dev-boun...@eclipse.org [ mailto:cross-project-issues-dev-boun...@eclipse.org] On Behalf Of Matthias Sohn Sent: Dienstag, 20. Mai 2014 08:33 To: Cross project issues Cc: General development mailing list of the Eclipse project.; Equinox development mailing list Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved to using SHA-2, 512 bit hashes for downloads -- Don't panic! On Tue, May 20, 2014 at 8:20 AM, David M Williams < david_willi...@us.ibm.com> wrote: I wanted to be sure everyone knew that beginning with tonight's I-build (I20140519-2000), Eclipse and Equinox have changed to provide SHA512 hashes for downloadable zips and tar files, instead of the previous MD5 and SHA1 hash sums. See the references in https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1 for why it's a bad idea to continue to rely on MD5 and SHA1. Our "conversion" and plan is documented in bug 423714 https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714 The disadvantage of using such a large hash is that its not something you can "verify" just by "looking at it" ... but ... insecure is insecure, and it is a pretty easy task to automate (and is a LOT easier, once you have done that). See https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads for "instructions" and links to tools. Feel free to contribute to that page if anyone has any "general purpose" scripts that others could use or know of other tools that would be handy to know about. Now -- here's where your feedback is needed -- we'd actually like to stop producing the MD5 and SHA1 checksums, say, a month after Luna release ... but if if this is just too disruptive or doesn't work for someone, please comment in Bug 423714 explaining. In the mean time, we do not "link" to the old MD5 or SHA1 checksums from the download page, but they are still there ... right where they always were ... to make sure we don't suddenly break someone's scripts or builds. And if you do rely on them now, we hope you can convert after the Luna release (if not before). Do feel free to comment in the bug, if this has some negative consequence we have not anticipated ... but, my guess is that anyone who cares about them in the first place will appreciate the modernization. My new slogan: Test early, test often, and practice safe computing! Thanks, could you share how platform generates SHA512 checksums from Maven / Tycho ? This would be interesting for other projects which want to update their builds as well. -- Matthias _______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
