to me, going to sha1 only *for fingerprints* is the right move currently going to sha256 would make people think that a strong fingerprint means a stronger security: this is wrong If you want security, check signatures (ie. .asc files, with corresponding public keys) that are real security (done with strong fingerprints built inside)
but fingerprints only are just checksums against download issues: technically, we could stay with md5 or even weaker (good old crc?), IMHO. That's just to avoid bad md5 reputation that we need to avoid it now: md5 for signature is bad, but md5 for fingerprint could still be sufficient. Regards, Hervé Le vendredi 6 avril 2018, 21:54:42 CEST Michael Osipov a écrit : > Am 2018-04-06 um 21:50 schrieb Karl Heinz Marbaise: > > Hi to all, > > > > updated the download page having now sha256/sha512 links... > > > > first step of the efforts to migrate away from .md5 to sha256/sha512.. > > > > Most important: > > > > https://maven.apache.org/download.cgi > > > > WDYT ? > > > > other changes/improvements ? > > I would definitively keep SHA-1 around. As for SHA2-512, isn't there any > benefit for us ATM compared to 256? > > Michael > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
