Re: correct format for the md5 files?
On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: ...but it got me wondering, what format do we want?... The format that Yonik used works (on my macosx system, but also under Linux I suspect) with md5sum -c apache-solr-1.1.0-incubating.tgz.md5 which is convenient I think. -Bertrand
Re: correct format for the md5 files?
: The format that Yonik used works (on my macosx system, but also under : Linux I suspect) with : : md5sum -c apache-solr-1.1.0-incubating.tgz.md5 hey look at that ... a -c option on md5sum. The FreeBSD md5 command doesn't seem to have a corrisponding check command, so making sure md5sum -c works seems like a worthwhile goal. Fortunately you can do a lot of amazing things with any macros ... unfortunately ant doesn't seem to have any notion of variables so it's not pretty to look at. ant package now builds the md5 files automatically in the same format as the md5sum command ... if anyone sees anything wrong with it we can allways yank it out. -Hoss
Re: correct format for the md5 files?
This isn't as urgent as you make it out to be. There are just a few people in the world, mostly Chinese researchers, who have the capability to do this. I agree that SHA is better, but this clearly isn't the type of thing that should hold up a Solr release! phil. On Dec 8, 2006, at 4:37 PM, Simon Willnauer wrote: Hello, I'm wondering why people still use MD5 for digital signatures and / or checksums. Recent results on the analysis of MD5 reduce the effort to find collisions to a few minutes on an old notebook. Thus, collision and multi-collision attacks on MD5 are feasible and practical. I would recommend to migrate directly from MD5 to SHA-2 and add SHA-2 hashes to existing MD5 lists if possible. Wherever MD5 is still used to detect the manipulation of data or software, it must be replaced as soon as possible! just my 2 cent. best regards simon On 12/8/06, Bertrand Delacretaz [EMAIL PROTECTED] wrote: On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: ...but it got me wondering, what format do we want?... The format that Yonik used works (on my macosx system, but also under Linux I suspect) with md5sum -c apache-solr-1.1.0-incubating.tgz.md5 which is convenient I think. -Bertrand -- Whirlycott Philip Jacob [EMAIL PROTECTED] http://www.whirlycott.com/phil/
Re: correct format for the md5 files?
Hello, I'm wondering why people still use MD5 for digital signatures and / or checksums. Recent results on the analysis of MD5 reduce the effort to find collisions to a few minutes on an old notebook. Thus, collision and multi-collision attacks on MD5 are feasible and practical. I would recommend to migrate directly from MD5 to SHA-2 and add SHA-2 hashes to existing MD5 lists if possible. Wherever MD5 is still used to detect the manipulation of data or software, it must be replaced as soon as possible! just my 2 cent. best regards simon On 12/8/06, Bertrand Delacretaz [EMAIL PROTECTED] wrote: On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: ...but it got me wondering, what format do we want?... The format that Yonik used works (on my macosx system, but also under Linux I suspect) with md5sum -c apache-solr-1.1.0-incubating.tgz.md5 which is convenient I think. -Bertrand
Re: correct format for the md5 files?
True, so do it proper if you can. best regards simon On 12/8/06, WHIRLYCOTT [EMAIL PROTECTED] wrote: This isn't as urgent as you make it out to be. There are just a few people in the world, mostly Chinese researchers, who have the capability to do this. I agree that SHA is better, but this clearly isn't the type of thing that should hold up a Solr release! phil. On Dec 8, 2006, at 4:37 PM, Simon Willnauer wrote: Hello, I'm wondering why people still use MD5 for digital signatures and / or checksums. Recent results on the analysis of MD5 reduce the effort to find collisions to a few minutes on an old notebook. Thus, collision and multi-collision attacks on MD5 are feasible and practical. I would recommend to migrate directly from MD5 to SHA-2 and add SHA-2 hashes to existing MD5 lists if possible. Wherever MD5 is still used to detect the manipulation of data or software, it must be replaced as soon as possible! just my 2 cent. best regards simon On 12/8/06, Bertrand Delacretaz [EMAIL PROTECTED] wrote: On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: ...but it got me wondering, what format do we want?... The format that Yonik used works (on my macosx system, but also under Linux I suspect) with md5sum -c apache-solr-1.1.0-incubating.tgz.md5 which is convenient I think. -Bertrand -- Whirlycott Philip Jacob [EMAIL PROTECTED] http://www.whirlycott.com/phil/
Re: correct format for the md5 files?
Oh by the way I do have 2 people in this room being able to find collisions to md5 within the next 15 minutes. But it is true that this is quiet hypothetical . anyway... yours simon On 12/8/06, Simon Willnauer [EMAIL PROTECTED] wrote: True, so do it proper if you can. best regards simon On 12/8/06, WHIRLYCOTT [EMAIL PROTECTED] wrote: This isn't as urgent as you make it out to be. There are just a few people in the world, mostly Chinese researchers, who have the capability to do this. I agree that SHA is better, but this clearly isn't the type of thing that should hold up a Solr release! phil. On Dec 8, 2006, at 4:37 PM, Simon Willnauer wrote: Hello, I'm wondering why people still use MD5 for digital signatures and / or checksums. Recent results on the analysis of MD5 reduce the effort to find collisions to a few minutes on an old notebook. Thus, collision and multi-collision attacks on MD5 are feasible and practical. I would recommend to migrate directly from MD5 to SHA-2 and add SHA-2 hashes to existing MD5 lists if possible. Wherever MD5 is still used to detect the manipulation of data or software, it must be replaced as soon as possible! just my 2 cent. best regards simon On 12/8/06, Bertrand Delacretaz [EMAIL PROTECTED] wrote: On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: ...but it got me wondering, what format do we want?... The format that Yonik used works (on my macosx system, but also under Linux I suspect) with md5sum -c apache-solr-1.1.0-incubating.tgz.md5 which is convenient I think. -Bertrand -- Whirlycott Philip Jacob [EMAIL PROTECTED] http://www.whirlycott.com/phil/
Re: Re: correct format for the md5 files?
On 12/8/06, Simon Willnauer [EMAIL PROTECTED] wrote: Oh by the way I do have 2 people in this room being able to find collisions to md5 within the next 15 minutes. But it is true that this is quiet hypothetical . anyway... Can they also produce a malicious distribution of solr which hashes identically? g. It _is_ a valid concern in general (I would never use md5 as a cryptographic hash, e.g., for passwords), but significantly less of a concern for this use. The most important role of the hash is to ensure no corruption occurred during transfer. cheers, -Mike
Re: Re: correct format for the md5 files?
: It _is_ a valid concern in general (I would never use md5 as a : cryptographic hash, e.g., for passwords), but significantly less of a : concern for this use. The most important role of the hash is to : ensure no corruption occurred during transfer. Bingo: We checksum the files with MD5, we sign the files with GPG -Hoss
Re: Re: correct format for the md5 files?
On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: : It _is_ a valid concern in general (I would never use md5 as a : cryptographic hash, e.g., for passwords), but significantly less of a : concern for this use. The most important role of the hash is to : ensure no corruption occurred during transfer. Bingo: We checksum the files with MD5, we sign the files with GPG And the standard digital signature content hash is defined to be SHA-1 AFAIK. And yes, someone has managed to find a way to get collisions in SHA1 hashes in less time than it would take to purely guess at random. But let's be serious... for our projects it's going to be far easier and cheaper to circumvent the encryption than break it. When PGP/GPG switch to a different mechanism by default, so will we. -Yonik
