On 3/1/2017 8:13 AM, Jan Høydahl wrote: > Working on LUCENE-5143 I’m revising the README.html files we place in > the dist folders. Then I started documenting how to validate checksum > of the downloads in addition to GPG signature, Looks like MD5 can > still be used for integrity checks > (https://en.wikipedia.org/wiki/MD5), while the Ant guys claim > otherwise in https://ant.apache.org/manual/Tasks/checksum.html Will > our .md5 and .sha1 files still provide security for the downloader > after Google releases their recent findings or are they only useful to > check that the download was complete and not partial?
>From what I can see, hashes and signatures are both missing on the download mirrors for Lucene and Solr. That's probably prudent for hashes, but should signatures be there? I'd expect hashes to be used as a quick "did it download right?" check. It's a weak form of authentication also, but as researchers have found, definitely not foolproof. Also, any download location with an altered archive could have altered hashes. I do not think it would be possible for non-committers to create an altered GPG signature that validates, as long as the end user obtained the KEYS file directly from Apache. If I'm wrong about that, then perhaps we need an entirely new method of validation. Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org