AFAIK, checksums are there only to avoid stupid download/upload distorsion. What gives real security is *signature* done by developers, ie .asc files, that use other hash algorithms than these little .md5 and .sha1 files. That's why we recommend to verify *the signature* [1].
Another topic: https://www.apache.org/dev/release-signing.html is not about Maven repository but is about Apache releases that are distributed as part of Apache official (source) releases, distributed by Apache mirrors [2] AFAIK, security is taken seriously: checksums are just not really part of that security, they are only checksums. Regards, Hervé [1] http://maven.apache.org/download.cgi [2] https://www.apache.org/mirrors/ Le lundi 5 décembre 2016, 00:56:22 CET John Patrick a écrit : > Hiya, > > So currently checksum's are not generated by default... I've submitted > a ticket which switched the install plugin to generate them by > default. > > Next step stop using md5 which most have considered dead for several > years, and checking apache > (https://www.apache.org/dev/release-signing.html) sha512 should be > being used. > > So either; > 1) add support so md5, sha1, sha256 and sha512 are all generated > 2) plugin defines which is generated > 3) plugin defines a list which are generated > 4) settings.xml defines which is generated > 5) settings.xml defines a list which are generated? > > Thoughts??? > > Next; > Currently when downloading we have ignore, warn or error if checksum's > don't match. I propose adding a checksum min level options? i.e. allow > MD5 > SHA1, SHA256 > SHA512 > > So; > 1) Default to MD5 > 2) Wait till all maven plugins deploy a sha512 to central > 3) Switch default to SHA512 > > What are developers thoughts? > What staged steps should this be merged as? > > I would like to start helping getting the core maven and all of it's > dependencies more secure so people can start trusting maven is secure > by default as I get the feeling isn't at the moment. > > Cheers, > John > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
