Oleg Gusakov wrote:
fyi:
- maven password encryption uses SHA-256 and switching to SHA-512
could be done using optional encrypted string attributes to ensure
decryption of the existing passwords. SHA-256 is already SHA2 family
and has not been cracked yet, so we can wait. Main question was
availability of SHA-512 in all targeted JVMs
- Mercury signature generation uses SHA-1, I will explore switching it
to SHA-512: http://jira.codehaus.org/browse/MERCURY-128.
I think we need to generate both sha1 and sha512 in parallel so that
older tools can still see a sha1. Having something is better than
nothing (or something they think is wrong)
Thanks,
Oleg
Robert Burrell Donkin wrote:
On Wed, May 6, 2009 at 7:27 AM, Brett Porter <br...@apache.org> wrote:
For artifact checksums? They are not a security measure, so I don't
think
increasing their length is of benefit.
Having read the same mail I'm guessing you did, it made me
reflect and we
probably should have kept using md5 for efficiency TBH.
i'm talking about
http://www.debian-administration.org/users/dkg/weblog/48 etc
not really anything to panic about but going to need to transition
away from the current public key infrastructure over the next year or
so
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org