> On May 18, 2018, at 11:42 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > >> On Fri, May 18, 2018 at 9:36 AM, sebb <seb...@gmail.com> wrote: >> >>> On 18 May 2018 at 16:30, Gary Gregory <garydgreg...@gmail.com> wrote: >>> Hi All: >>> >>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5. >>> >>> We just updated to SHA-1 which apparently has been subject to a collision >>> attack [2]. >>> >>> Our newish commons-release-plugin has just been updated to SHA-1. >>> >>> I'd like to add SHA-256 alongside SHA-1. >>> >>> Thoughts? >> >> Does Nexus support SHA-256? >> >> ISTR that there were some issues with it. >> > > Hard to say without trying: > - No: https://issues.sonatype.org/browse/NEXUS-5881 > - Yes: > https://books.sonatype.com/nexus-book/3.4/reference/using.html#_search_criteria_and_component_attributes > > _But_, it would be a start to include SHA-256 in VOTE emails, which I am > working on with Rob to generate based on a template. > > That would give RC reviewers the opportunity to validate RC downloads from > dist with SHA-1 or SHA-256.
If it’s only the release artifacts (tars/zips), that’s easy. If it’s the “convenience artifacts,” then I’m not sure. I think maven or nexus generates those under the hood which gives us less control. -Rob > > Gary > > >>> [1] >>> https://www.eclipse.org/eclipse/news/4.8/platform_isv. >> php#equinox-sha-256-checksum >>> [2] >>> https://arstechnica.com/information-technology/2017/ >> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
