On Thu, 30 Jan 2020 11:00:32 +0100 Matus UHLAR - fantomas wrote:
I use debian, and it uses GPG signatures. so I understand that sha-1
issue even less...
On 1/30/2020 9:54 AM, RW wrote:
It was a matter of Apache policy as I understand it. There were no
security implications at all.
Even if it had been relied on for security, SHA1 would only be
potentially vulnerable to an attack by an insider with a supercomputer.
Anyone in a position to exploit it could simply generate a new hash
file, so switching to SHA256 would still make no difference.
On 30.01.20 10:10, Kevin A. McGrail wrote:
The policy is at
https://www.apache.org/dev/release-distribution#sigs-and-sums
SHOULD NOT supply a MD5 or SHA-1 checksum file (because these are deprecated)
(fyi)
I was only trying to understand the reasons.
I tend to prefer lower security over no security when possible...
I have not analyzed the risk or done a threat model on this issue but
sha-1 is cryptographically weak and banned by ASF policy. There is a
ticket concerning asking for a variance but I am at best, neutral on
that idea.
Key to the issue is I fail to see how the highly intrusive security work
done for 3.4.3 can possibly be backported.
My recommendation remains a strong: upgrade to 3.4.4.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
