[
https://issues.apache.org/jira/browse/MNGSITE-334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Heinz Marbaise closed MNGSITE-334.
---------------------------------------
Resolution: Done
Done via change to SHA1/SHA256 checksums.
> maven installation insecure
> ---------------------------
>
> Key: MNGSITE-334
> URL: https://issues.apache.org/jira/browse/MNGSITE-334
> Project: Maven Project Web Site
> Issue Type: Bug
> Reporter: Warren MacEvoy
> Priority: Major
>
> The recommended install suggests using an insecure mirror, and then provides
> either an md5 sum (completely insecure, broken a thousand years ago), or a
> gpg signature (99% of installers will give up on following these directions,
> since they provide incomplete instructions on how to actually do it, and it
> is not easy to do).
> Please provide a SHA256 sum with your distribution! Please remove the MD5
> sum which is dangerous (provides a false sense of security). Please provide
> a complete recipe for verifying a signature using GnuPG
> This bug affects all versions. Here is the very unsatisfying result of
> verifying using GPG:
> *gpg --verify $FILE.asc*
> gpg: assuming signed data in `apache-maven-3.5.2-bin.tar.gz'
> gpg: Signature made Wed 18 Oct 2017 01:59:56 AM MDT using DSA key ID B620D787
> gpg: Good signature from "Stephen Connolly <[email protected]>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the owner.
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
