On Fri, 9 Oct 2015 19:50:52 -0700 Konstantin Boudnik <[email protected]> wrote:
> On Fri, Oct 09, 2015 at 06:32PM, Dmitriy Setrakyan wrote: > > On Fri, Oct 9, 2015 at 2:02 PM, Konstantin Boudnik <[email protected]> > > wrote: > > > > > Guys, > > > > > > We had to get rid of md5 sum long time ago, but it seems that > > > sha1 is hitting > > > the wall as well. Here's the good description of the problem: > > > https://sites.google.com/site/itstheshappening/ > > > > > > I'd suggest to scrape both of them in the next release. Any > > > objections? > > > > > > > I am not sure if we need to scrape SHA1. People do not have to use > > it if they don't trust it. > > Why would we even bother providing a checksum that isn't trustworthy? > It isn't a new development - we kned it for a while. > > > Are there any official ASF recommendations here? > > Yes, of course. This is the one, I am sure everyone here is aware of > it http://www.apache.org/dev/release-signing.html#sha1 > > In the frame of the particular discussion > http://www.apache.org/dev/release-signing.html#md5-security > http://www.apache.org/dev/release-signing.html#sha1 > > Cos +1 I've already done code signing with SHA-512. It is not computationally expensive. Modern enterprise distros already use SHA-512 in /etc/shadow. Example: time sha512sum scribus-1.4.5.tar.xz 60db402b0fc4880f795694f3d6823ff2cedd660e7431c311ec7b75d79f09815e790da562c4cd4c080811559d1c16a3e65be8e1a348f655dbc37c3a6cec74650e scribus-1.4.5.tar.xz real 0m0.827s user 0m0.382s sys 0m0.036s plinnell@linux:~/tar/Version14x> l total 76500 drwxr-xr-x 3 plinnell users 160 Jan 27 2015 ./ drwxr-xr-x 4 plinnell users 104 May 19 13:35 ../ drwxr-xr-x 10 plinnell users 1224 Jan 27 2015 scribus-1.4.5/ -rw-r--r-- 1 plinnell users 78251228 Jan 27 2015 scribus-1.4.5.tar.xz It just makes for ugly release notes ;-) Peter
