On Thu, Aug 31, 2017 at 3:15 PM, Henk P. Penning wrote:
> -- SHA-1 : not as bad as MD5, but no longer considered secure
> by some ; https://en.wikipedia.org/wiki/SHA-1 ; skip
> -- SHA-256 : fine
> -- SHA-512 : fine
>
> So, I would suggest we pick SHA-256...
+1
-Bertrand
---
nk P. Penning wrote:
> On Fri, 1 Sep 2017, Christopher wrote:
>
> > Date: Fri, 1 Sep 2017 03:29:58 +0200
> > From: Christopher
> > To: general@incubator.apache.org
> > Subject: Re: Digests in releases
> >
> > On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wr
On Fri, 1 Sep 2017, Christopher wrote:
Date: Fri, 1 Sep 2017 03:29:58 +0200
From: Christopher
To: general@incubator.apache.org
Subject: Re: Digests in releases
On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wrote:
What is the correct forum for discussing release distribution policy?
Good
Dave Fisher wrote on Thu, 31 Aug 2017 13:35 -0700:
> Regardless of what Jane User knows, and we have 200 million Jane Users of
> Apache OpenOffice, I think it would be helpful to have an Apache Download
> checker program/script that could be run to confirm the bonafides.
>
> An idea.
Why stop h
Hey Joe,
Thanks for the pointer. I think Henk needs to be involved.
Regards,
Dave
Sent from my iPhone
> On Aug 31, 2017, at 3:31 PM, Joe Schaefer wrote:
>
> Henk's scripting does that and much more.
>
>> On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning wrote:
>>
>> I thought that gpg does that.
On Wed, Aug 30, 2017 at 5:08 PM Julian Hyde wrote:
> What is the correct forum for discussing release distribution policy?
>
>
Good question. I hope it's this one, since this is where the discussion is
happening.
> Current policy [1] states:
>
> Every artifact distributed to the public throu
Henk's scripting does that and much more.
On Thu, Aug 31, 2017 at 5:09 PM Ted Dunning wrote:
> I thought that gpg does that.
>
> On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher
> wrote:
>
> > Regardless of what Jane User knows, and we have 200 million Jane Users of
> > Apache OpenOffice, I think i
I thought that gpg does that.
On Thu, Aug 31, 2017 at 1:35 PM, Dave Fisher wrote:
> Regardless of what Jane User knows, and we have 200 million Jane Users of
> Apache OpenOffice, I think it would be helpful to have an Apache Download
> checker program/script that could be run to confirm the bona
Regardless of what Jane User knows, and we have 200 million Jane Users of
Apache OpenOffice, I think it would be helpful to have an Apache Download
checker program/script that could be run to confirm the bonafides.
An idea.
Regards,
Dave
> On Aug 31, 2017, at 1:22 PM, Julian Hyde wrote:
>
>
I know this. You know this. Joe User does not know this. I am trying to make
Joe User’s life easier.
Since SHA256 is sufficient for both purposes why does release policy MANDATE
that projects include an MD5?
Julian
> On Aug 31, 2017, at 1:17 PM, Ted Dunning wrote:
>
> The checksum is not a
The checksum is not a tampering countermeasure.
It is a "mirror ran out of diskpace" or "IP checksums are only 32 bits"
countermeasure.
On Thu, Aug 31, 2017 at 11:35 AM, Julian Hyde wrote:
> As security experts, you and I know that. But Joe User maybe only checks
> one digest.
>
> (Aren’t we
As security experts, you and I know that. But Joe User maybe only checks one
digest.
(Aren’t we all Joe User sometimes?)
Julian
> On Aug 31, 2017, at 11:30 AM, Mike Jumper wrote:
>
> On Aug 31, 2017 11:21, "Julian Hyde" wrote:
>
> After downloading artifacts, there are 3 things to check: (1
On Aug 31, 2017 11:21, "Julian Hyde" wrote:
After downloading artifacts, there are 3 things to check: (1) the download
is successful; (2) the artifacts were indeed created by the named author;
and (3) the artifacts have not been tampered with.
A security expert would know to use the .md5 for (1)
After downloading artifacts, there are 3 things to check: (1) the download is
successful; (2) the artifacts were indeed created by the named author; and (3)
the artifacts have not been tampered with.
A security expert would know to use the .md5 for (1), the .asc for (2), and the
.sha256 or .sha
On Wed, 30 Aug 2017, Julian Hyde wrote:
Date: Wed, 30 Aug 2017 14:08:42 -0700
From: Julian Hyde
To: general@incubator.apache.org
Subject: Digests in releases
What is the correct forum for discussing release distribution policy?
MD5 is no longer deemed secure[2]. I think we should remove it
On 30 August 2017 at 22:08, Julian Hyde wrote:
> What is the correct forum for discussing release distribution policy?
>
> Current policy [1] states:
>
> Every artifact distributed to the public through Apache channels MUST
> be accompanied by one file containing an OpenPGP compatible ASCII
>
What is the correct forum for discussing release distribution policy?
Current policy [1] states:
Every artifact distributed to the public through Apache channels MUST
be accompanied by one file containing an OpenPGP compatible ASCII
armored detached signature and another file containing an
17 matches
Mail list logo
