On Wed, Jun 28, 2017 at 2:58 AM, Niklas Keller <m...@kelunik.com> wrote: > 2017-06-28 4:19 GMT+02:00 Sara Golemon <poll...@php.net>: >> I've pushed two commits to remove MD5 from www.php.net and qa.php.net, >> however it should be noted that I left a fair amount of md5 in web-php >> because very old releases have neither GPG signatures nor SHA256 >> checksums, and while MD5 is weak and broken, it's better than nothing. >> > Can't we just rehash them? > If we agree that we trust the existing binaries haven't been compromised at any point, sure. But at that point we'd be saying "Here's a trustable sha256/gpg signature for a file" when really it's "Here's a signature that's only really as trustable as the md5 we used to verify it when we rehashed".
In the interest of not presenting a false sense of security, I'd vote "No" on that. Our past few years of releases are more reliably signed, and we can be honest about what's in the attic. That all said, it wouldn't be a terrible idea to anchor some gpg sigs of the old archives (in an explicitly flagged repo) just to be able to say "They haven't changed since Jun 2017". -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
