I filed a bug about this already, but I've been directed to email here
instead. The bug I filed is:
https://issues.apache.org/jira/browse/INFRA-12626

Basically, on download pages we provide obsolete hashes for our downloads
(MD5 and SHA1). These are meant, as I understand it, to serve two purposes.
First, they allow you to make sure that your download succeeded. Second,
they allow you to ensure that your download wasn't tampered with.

For the first purpose: Great. They work. For the second purpose, however,
we need to move away from MD5 and SHA1 hashes, both of which can now be
attacked with relatively modest hardware.

Browsers are moving away from SHA1 at a very fast pace. See:

https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

And:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

I don't know who's responsible for this, but my bug was closed because it's
not the infrastructure team, and so I'm trying here.

I suggest we move to SHA2 hashes for all verification purposes.

Thanks,

Mike

Reply via email to