Andreas Felder created IVY-1554:
-----------------------------------
Summary: Please add additional checksum algorithms
Key: IVY-1554
URL: https://issues.apache.org/jira/browse/IVY-1554
Project: Ivy
Issue Type: Improvement
Components: Core
Affects Versions: 2.4.0
Reporter: Andreas Felder
Apache Ivy provides two algorithms (SHA-1 and MD5) to verify correctness of
files in repository. MD5 is known to be unsafe for a while, which is no problem
because also SHA-1 is suppported. As of yesterday SHA-1 is also broken (e.g.
http://hackaday.com/2017/02/23/shattered-sha-1-is-broken/).
To ensure correctness of our artifacts, please extend those algorithms with
SHA-256 and or SHA-512.
MessageDigests are computed in class
https://git-wip-us.apache.org/repos/asf?p=ant-ivy.git;a=blob;f=src/java/org/apache/ivy/util/ChecksumHelper.java;h=56aa936296fa9fbd9699432f041e06a9e588a618;hb=HEAD
using {{MessageDigest.getInstance(mdAlgorithm)}}. It should be no problem to
extend the list of allowed algorithms, because at least with JDK/JRE 6 SHA-512
is supported (see
https://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
