[jira] [Commented] (LOG4J2-2958) MD5 hash is deprecated

Sat, 13 Mar 2021 13:32:05 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-2958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300988#comment-17300988
 ] 

Ralph Goers commented on LOG4J2-2958:
-------------------------------------

The checksum policy sent to the Logging Services PMC in March 2018 reads as 
follows:


{panel}


 The Release Distribution Policy[1] changed regarding checksum files.
  See under "Cryptographic Signatures and Checksums Requirements" [2].

    MD5-file == a .md5 file
    SHA-file == a .sha1, sha256 or .sha512 file

 Old policy :

    -- MUST provide a MD5-file
    -- SHOULD provide a SHA-file [SHA-512 recommended]

 New policy :

    -- MUST provide a SHA- or MD5-file
    -- SHOULD provide a SHA-file
    -- SHOULD NOT provide a MD5-file

    Providing MD5 checksum files is now discouraged for new releases,
    but still allowed for past releases.

 Why this change :

    -- MD5 is broken for many purposes ; we should move away from it.
       [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]

 Impact for PMCs :

    -- for new releases :
       -- please do provide a SHA-file (one or more, if you like)
       -- do NOT provide a MD5-file

    -- for past releases :
       -- you are not required to change anything
       -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
          it would be nice if you removed the MD5-file

    -- if, at the moment, you provide MD5-files,
       please adjust your release tooling.
{panel}
Log4j 2.3 was released was released in May 2015 and so precedes this policy by 
3 years. Even so, the policy as stated still says either an SHA or MD5 must be 
provided for new releases, although it contradicts itself by saying an MD5 
after saying it should provide one.

In any case, all new releases no longer provide md5 files. Log4j 2.3 is the 
last release that supports Java 6. As such we are very likely to declare it EOL 
with our next release.

 

 

> MD5 hash is deprecated
> ----------------------
>
>                 Key: LOG4J2-2958
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2958
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Sebb
>            Priority: Major
>
> The download page
> [https://logging.apache.org/log4j/2.x/download.html]
> uses md5 hashes for release 2.3
> However there are sha256 and sha512 hashes; one of these should be used 
> instead, and the md5 hashes dropped from the download host. The sha1 hashes 
> likewise are deprecated and should be deleted.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to