I'm in the process of computing the sha-512 sums on the over 200,000
files in our active file index. I'll get the new sums listed alongside
the existing ones on the generic "pick a mirror" page shortly.
Denis
On 05/20/2014 10:40 AM, David M Williams wrote:
Correct. I did open
*_Bug 423715_* <https://bugs.eclipse.org/bugs/show_bug.cgi?id=423715>-
move to SHA2 for p2 metadata publishing (and consumption)
but that won't change for Luna ... and maybe never ... until there is
pressure from some of these "government regulations" or something to
motivate a a change.
From: "Sievers, Jan" <[email protected]>
To: Cross project issues <[email protected]>,
Date: 05/20/2014 04:23 AM
Subject: Re: [cross-project-issues-dev] Eclipse and Equinox have moved
to using SHA-2, 512 bit hashes for downloads -- Don't panic!
Sent by: [email protected]
------------------------------------------------------------------------
as far as I got it this is for the eclipse.org download pages only.
p2 is still using MD5 for checksums in artifacts.jar, see e.g. [1]
Jan
[1] _http://download.eclipse.org/releases/luna/201405090900/artifacts.jar_
*From:* [email protected]
[mailto:[email protected]] *On Behalf Of
*Matthias Sohn*
Sent:* Dienstag, 20. Mai 2014 08:33*
To:* Cross project issues*
Cc:* General development mailing list of the Eclipse project.; Equinox
development mailing list*
Subject:* Re: [cross-project-issues-dev] Eclipse and Equinox have
moved to using SHA-2, 512 bit hashes for downloads -- Don't panic!
On Tue, May 20, 2014 at 8:20 AM, David M Williams
<[email protected]_ <mailto:[email protected]>> wrote:
I wanted to be sure everyone knew that beginning with tonight's
I-build (I20140519-2000), Eclipse and Equinox have changed to provide
SHA512 hashes for downloadable zips and tar files, instead of the
previous MD5 and SHA1 hash sums.
See the references in
_https://bugs.eclipse.org/bugs/show_bug.cgi?id=420010#c1_for why it's
a bad idea to continue to rely on MD5 and SHA1.
Our "conversion" and plan is documented in bug 423714 _
__https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714_
The disadvantage of using such a large hash is that its not something
you can "verify" just by "looking at it" ... but ... insecure is
insecure, and it is a pretty easy task to automate (and is a LOT
easier, once you have done that).
See
_https://wiki.eclipse.org/Platform-releng/How_to_check_integrity_of_downloads_for
"instructions" and links to tools. Feel free to contribute to that
page if anyone has any "general purpose" scripts that others could use
or know of other tools that would be handy to know about.
Now -- here's where your feedback is needed -- we'd actually like to
stop producing the MD5 and SHA1 checksums, say, a month after Luna
release ... but if if this is just too disruptive or doesn't work for
someone, please comment in *_Bug 423714_*
<https://bugs.eclipse.org/bugs/show_bug.cgi?id=423714>explaining. In
the mean time, we do not "link" to the old MD5 or SHA1 checksums from
the download page, but they are still there ... right where they
always were ... to make sure we don't suddenly break someone's scripts
or builds. And if you do rely on them now, we hope you can convert
after the Luna release (if not before).
Do feel free to comment in the bug, if this has some negative
consequence we have not anticipated ... but, my guess is that anyone
who cares about them in the first place will appreciate the
modernization.
My new slogan: Test early, test often, and practice safe computing!
Thanks,
could you share how platform generates SHA512 checksums from Maven /
Tycho ?
This would be interesting for other projects which want to update
their builds as well.
--
Matthias _______________________________________________
cross-project-issues-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
