[jira] [Commented] (IGNITE-1656) Get rid of md5 and sha1 in favor of sha512
[ https://issues.apache.org/jira/browse/IGNITE-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15694152#comment-15694152 ] Konstantin Boudnik commented on IGNITE-1656: I stand against lowering the priority of this, because signing releases with a weak and proven insecure algorithm posses the risk of delivering malicious code to the users. > Get rid of md5 and sha1 in favor of sha512 > -- > > Key: IGNITE-1656 > URL: https://issues.apache.org/jira/browse/IGNITE-1656 > Project: Ignite > Issue Type: Bug > Components: cache >Affects Versions: ignite-1.4 >Reporter: Ivan Veselovsky > Fix For: 2.0 > > > Description of the problem wrt sha1 is there: > https://sites.google.com/site/itstheshappening/ . -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (IGNITE-1656) Get rid of md5 and sha1 in favor of sha512
[
https://issues.apache.org/jira/browse/IGNITE-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15074405#comment-15074405
]
Konstantin Boudnik commented on IGNITE-1656:
md5 and sha1 aren't recommended checksum'ing mechanisms
- https://www.apache.org/dev/release-signing.html#md5-security
- https://www.apache.org/dev/release-signing.html#sha1
The easiest way of solving this is to simply use gpg to calculate all checksums
feasible at once, including sha512
{{gpg --print-mds apache-ignite-src.zip > apache-ignite-src.zip.mds}}
which will produce something like this in case of the 1.5.0 release
{noformat}
apache-ignite-1.5.0.final-src.zip:MD5 = 57 49 4B FB 88 4A C7 36 70 F5 34 D9
E5 44 F1 D5
apache-ignite-1.5.0.final-src.zip: SHA1 = 860C FCD0 3A1C C4D0 8197 22DA D011
7FDC 2CAE 7F30
apache-ignite-1.5.0.final-src.zip: RMD160 = 0B1F BE1B C386 1406 C5F8 0FDA F2F1
EE51 D6DF 174B
apache-ignite-1.5.0.final-src.zip: SHA224 = 3600D9C3 A277CF1D C94ECAE7 CCBAFC47
51BA766F 4733EBC0 DB834074
apache-ignite-1.5.0.final-src.zip: SHA256 = 7E8ED37B 20C80461 81B7CF9A C7E1ABE0
1B6F8D3E BDB00EC6 1B6E9ABF 4440310C
apache-ignite-1.5.0.final-src.zip: SHA384 = 72F54390 F24E06A0 0AB04478 84FA5724
44FF8EE8 DBFDA895 D89E0F5D CC054BB6
38F81465 043B B799B309 16303E6C
apache-ignite-1.5.0.final-src.zip: SHA512 = 1719613A AF34DE7C 6D865201 BCAF5E56
1CFDBDD6 902AA796 3D3E51C6 0FC3CE23
57A9EA8E 8861AB84 71072F81 80BCB2BA
569866EB AF488478 09E5F982 082BC1B9
{noformat}
> Get rid of md5 and sha1 in favor of sha512
> --
>
> Key: IGNITE-1656
> URL: https://issues.apache.org/jira/browse/IGNITE-1656
> Project: Ignite
> Issue Type: Bug
> Components: cache
>Affects Versions: ignite-1.4
>Reporter: Ivan Veselovsky
>Priority: Critical
> Fix For: 1.6
>
>
> Description of the problem wrt sha1 is there:
> https://sites.google.com/site/itstheshappening/ .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (IGNITE-1656) Get rid of md5 and sha1 in favor of sha512
[
https://issues.apache.org/jira/browse/IGNITE-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14953476#comment-14953476
]
Konstantin Boudnik commented on IGNITE-1656:
There's a simple way to deal with it once and for all (this is the HBase,
Hadoop approach). For all release artifacts you can run something like this:
{{for i in *.tar.gz; do echo $i; gpg --print-mds $i > $i.mds ; done}}
gpg produces a set of checksums, including all available SHA's and some others.
What's important is that gpg behaves the same way on all platforms, so
verification format issues will be non-existent.
> Get rid of md5 and sha1 in favor of sha512
> --
>
> Key: IGNITE-1656
> URL: https://issues.apache.org/jira/browse/IGNITE-1656
> Project: Ignite
> Issue Type: Bug
> Components: cache
>Affects Versions: ignite-1.4
>Reporter: Ivan Veselovsky
> Fix For: 1.5
>
>
> Description of the problem wrt sha1 is there:
> https://sites.google.com/site/itstheshappening/ .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
