> El 30 oct 2017, a las 20:47, Matthias Bläsing <[email protected]> > escribió: > > Hey, > > Am Montag, den 30.10.2017, 20:02 +0100 schrieb Antonio Vieiro: >>>> On the other hand during review of HTML/Java API I had to remove download >>>> from google Maven repository - it was seen as untrusted. I assume the same >>>> will be said about the eclipse repository. >>> >>> I don't follow that argument. The trust basis is the SHA1 hash that is >>> checked at download time. At this point in time I consider SHA1 as a >>> save basis and thus I don't care if the binary comes from maven centra, >>> the eclipse repository or whatever. >> >> Untrusted because missing https certificates, maybe? >> >> The DownloadBinaries.java ant task currently uses plain http, so no worries >> about https certificates (but we could use a custom SSLSocketFactory with >> some certs if required). >> > > Please see the DownloadBinaries#doDownload method. The download is done > and after that the file hash is compared with the reference from the > binaries-list.
I agree with you that the SHA1 is enough. I meant that maybe Yaroslav was talking about “untrusted HTTPS” connections. Cheers, Antonio > > So you'd need to create a SHA1 collision to inject code when > downloading. While theoretically possible, I'd currently not think > about the problem. > > We should think about making the hashing extendable, so that we can > later switch to saver hashing algorithms. > > Greetings > > Matthias
