Edit report at https://bugs.php.net/bug.php?id=74259&edit=1
ID: 74259 Comment by: security at paragonie dot com Reported by: [email protected] Summary: Release API shouldn't provide MD5 hashes Status: Open Type: Feature/Change Request Package: Website problem PHP Version: Irrelevant Block user comment: N Private report: N New Comment: > MD5 is broken and can no longer be seen as collision-resistant. This is a bit of an understatement. It's trivial to create two files (one benign, one malicious) with the same MD5 hash. > We already have SHA-256 there, which is fine. We should also add the PGP > signatures we provide in the announcement e-mails. +1 Previous Comments: ------------------------------------------------------------------------ [2017-03-17 07:55:11] [email protected] Description: ------------ http://php.net/releases/?json&max=2000&version=7 shouldn't provide MD5 hashes for file integrity. MD5 is broken and can no longer be seen as collision-resistant. I hereby propose to remove those hashes. Any tool that relies on the API and its MD5 hashes SHOULD break and be upgraded. We can announce it before doing the change, but we can't warn on such usage programmatically. We already have SHA-256 there, which is fine. We should also add the PGP signatures we provide in the announcement e-mails. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=74259&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
