[
https://issues.apache.org/jira/browse/DERBY-6973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703628#comment-16703628
]
Rick Hillegas commented on DERBY-6973:
--------------------------------------
As part of publishing jar files to the maven artifactories, our release
machinery generates md5 and sha-1 checksums via a maven <createChecksum>
configuration element. These checksums are deployed to the artifactories
alongside the jars and their pgp signatures.
The maven developer community seems to have resisted upgrading <createChecksum>
to generate stronger sha-256 or sha-512 checksums. See the discussion here:
http://maven.40175.n5.nabble.com/Taking-Security-Seriously-td5887703.html
What do people think that we should do:
* Nothing. Continue to follow the maven best practice of generating weak md5
and sha-1 checksums.
* Remove the <createChecksum> element and stop generating these obsolete
checksums.
* Something else?
Thanks,
-Rick
> Provide SHA-512 checksums on future releases
> --------------------------------------------
>
> Key: DERBY-6973
> URL: https://issues.apache.org/jira/browse/DERBY-6973
> Project: Derby
> Issue Type: Bug
> Components: Web Site
> Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1,
> 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.3.2.1, 10.3.3.0, 10.4.1.3, 10.4.2.0,
> 10.5.1.1, 10.5.2.0, 10.5.3.0, 10.6.1.0, 10.6.2.1, 10.7.1.1, 10.8.1.2,
> 10.8.2.2, 10.8.3.0, 10.9.1.0, 10.10.1.1, 10.10.2.0, 10.11.1.1, 10.12.1.1,
> 10.13.1.1, 10.14.1.0, 10.15.0.0
> Reporter: Warren MacEvoy
> Assignee: Rick Hillegas
> Priority: Major
>
> Releases have md5 sum for signatures, and nothing modern. How is this even
> possible?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
