Yes, hashes etc are not replicated to mirrors; I think this is partly
to encourage people to download them from the ASF hardware.
However a rogue mirror could still provide its own hashes.
But hashes from ASF hardware still only provide a basic download
check; they don't provide authentication, be
Infra does filter filenames that match (*.sha256) from the mirror
replication, so it is possible
to use such names and have matching behavior:
Compare mirror: http://apache.cs.utah.edu/orc/orc-1.2.3/
Apache version: http://www-eu.apache.org/dist/orc/orc-1.2.3/
and you can see the sha256 files are
To be clear, those "trusted signatures" should be using strong hash
algorithms themselves. (As well as sufficiently long keys.)
I raised the issue of weak hashes in GPG signatures for Maven projects at
ASF with https://issues.apache.org/jira/browse/MPOM-118 , but non-Maven
projects which manually s
SHA1 and MD5 have been individually compromised, but a combined hash has
not been.
Regardless, Sebb's comment that hashes are worthless for authentication and
tamper-detection is spot-on. You have to look to trusted signatures for
that.
On Thu, Jan 26, 2017 at 10:20 AM, Mike Lissner <
mliss...@
On 26 January 2017 at 18:20, Mike Lissner
wrote:
> I filed a bug about this already, but I've been directed to email here
> instead. The bug I filed is:
> https://issues.apache.org/jira/browse/INFRA-12626
>
> Basically, on download pages we provide obsolete hashes for our downloads
> (MD5 and SHA1
I filed a bug about this already, but I've been directed to email here
instead. The bug I filed is:
https://issues.apache.org/jira/browse/INFRA-12626
Basically, on download pages we provide obsolete hashes for our downloads
(MD5 and SHA1). These are meant, as I understand it, to serve two purposes
👌
Pada 22 Jan 2017 8:28 PG, "Andrew Palumbo" menulis:
> Hello,
>
>
> I sent an email yesterday regarding swag for Meetups, etc to this list,
> thinking that it was an Apache list that was devoted specifically to that
> type of thing (i was just going off of a comment automatically sent to me
> f
👌
Pada 26 Jan 2017 4:47 PG, "Rich Bowen" menulis:
> To anyone who has at any time expressed interest in helping out with
> Feathercast, please see below. (Some of you have already received this,
> but sending it to comdev just in case I missed someone!)
>
> Thanks!
>
> --Rich
>
>
> Forw
