fyi:
- maven password encryption uses SHA-256 and switching to SHA-512 could
be done using optional encrypted string attributes to ensure decryption
of the existing passwords. SHA-256 is already SHA2 family and has not
been cracked yet, so we can wait. Main question was availability of
SHA-512 in all targeted JVMs
- Mercury signature generation uses SHA-1, I will explore switching it
to SHA-512: http://jira.codehaus.org/browse/MERCURY-128.
Thanks,
Oleg
Robert Burrell Donkin wrote:
On Wed, May 6, 2009 at 7:27 AM, Brett Porter <br...@apache.org> wrote:
For artifact checksums? They are not a security measure, so I don't think
increasing their length is of benefit.
Having read the same mail I'm guessing you did, it made me reflect and we
probably should have kept using md5 for efficiency TBH.
i'm talking about http://www.debian-administration.org/users/dkg/weblog/48 etc
not really anything to panic about but going to need to transition
away from the current public key infrastructure over the next year or
so
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
