On Fri, May 18, 2018 at 9:56 AM, Rob Tompkins <chtom...@gmail.com> wrote:
> > > > On May 18, 2018, at 11:42 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > > > >> On Fri, May 18, 2018 at 9:36 AM, sebb <seb...@gmail.com> wrote: > >> > >>> On 18 May 2018 at 16:30, Gary Gregory <garydgreg...@gmail.com> wrote: > >>> Hi All: > >>> > >>> Eclipse is moving to SHA-256 to validate downloads [1] alongside MD5. > >>> > >>> We just updated to SHA-1 which apparently has been subject to a > collision > >>> attack [2]. > >>> > >>> Our newish commons-release-plugin has just been updated to SHA-1. > >>> > >>> I'd like to add SHA-256 alongside SHA-1. > >>> > >>> Thoughts? > >> > >> Does Nexus support SHA-256? > >> > >> ISTR that there were some issues with it. > >> > > > > Hard to say without trying: > > - No: https://issues.sonatype.org/browse/NEXUS-5881 > > - Yes: > > https://books.sonatype.com/nexus-book/3.4/reference/ > using.html#_search_criteria_and_component_attributes > > > > _But_, it would be a start to include SHA-256 in VOTE emails, which I am > > working on with Rob to generate based on a template. > > > > That would give RC reviewers the opportunity to validate RC downloads > from > > dist with SHA-1 or SHA-256. > > If it’s only the release artifacts (tars/zips), that’s easy. If it’s the > “convenience artifacts,” then I’m not sure. I think maven or nexus > generates those under the hood which gives us less control. > I'll just make the release plugin generate a sha256.properties file like we do a sha1.properties file. Let's leave Nexus aside for now... Gary > > -Rob > > > > > Gary > > > > > >>> [1] > >>> https://www.eclipse.org/eclipse/news/4.8/platform_isv. > >> php#equinox-sha-256-checksum > >>> [2] > >>> https://arstechnica.com/information-technology/2017/ > >> 02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/ > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
