Am 2021-10-21 um 19:11 schrieb Mykola Nikishov:
Mickael Istria writes:
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
Mickael Istria writes:
> While I'm investigating into Maven code to allow re-using checksums of
> Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
> .sha1 seems to be used by Wagon and then also noticed that Maven Central
> doesn't contain a "safe" digest signature
and deployer. (You better
not generate the trusted lists from the untrusted repository hash files).
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: Mickael Istria
Gesendet: Thursday, October 14, 2021 9:56:04 AM
An: Maven Developers List
Betreff: Re: MD5, SHA1, but nothing
Am 2021-10-13 um 16:19 schrieb Mickael Istria:
On Wed, Oct 13, 2021 at 2:10 PM Michael Osipov wrote:
Hi Mickael,
Hi Michael,
this is an overly complex topic I'd like to explain.
First of all Wagon is not involved in this. It does the physical
transport. The payload is opaque. SHA, MD5
Hello,
i see two mixed topics in this discussion - verifying artifact transfer
integrity and verifying that the downloaded artifact is really the one
expected from the security perspective. The latter does not have anything
to do with Maven Central or any other repository. Checksums in
On Thu, Oct 14, 2021 at 10:36 AM Romain Manni-Bucau
wrote:
> I agree with Bernd, checksums are there to validate the consistency of the
> artifact, nothing linked to security.
>
Ensuring user gets a consistent artifact as desired -and not a malicious
forged one- is 1 aspect of security.
On
Hi,
I agree with Bernd, checksums are there to validate the consistency of the
artifact, nothing linked to security.
On central the security side is provided by the asc file which is
sufficient if you trust only allowed releasers keys in practise, pretending
you are a releaser will be quite hard
On Wed, Oct 13, 2021 at 8:41 PM Bernd Eckenfels
wrote:
> There is no Security risk with weaker checksums since the checksums are
> not used for security. An attacker who messes with your binaries can also
> mess with the checksum files.
In our case, we have the checksum files that are served
: Mickael Istria
Gesendet: Wednesday, October 13, 2021 4:19:09 PM
An: Maven Developers List
Betreff: Re: MD5, SHA1, but nothing (still) safe?
On Wed, Oct 13, 2021 at 2:10 PM Michael Osipov wrote:
> Hi Mickael,
>
Hi Michael,
>
> this is an overly complex topic I'd like to explain.
&g
On Wed, Oct 13, 2021 at 2:10 PM Michael Osipov wrote:
> Hi Mickael,
>
Hi Michael,
>
> this is an overly complex topic I'd like to explain.
> First of all Wagon is not involved in this. It does the physical
> transport. The payload is opaque. SHA, MD5 aren't verifying any
> signatures, it is
Am 2021-10-13 um 12:10 schrieb Mickael Istria:
Hi all,
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
doesn't contain a
Might be helpful:
https://checksum-maven-plugin.nicoulaj.net/examples/using-custom-checksum-algorithms.html
Delany
On Wed, 13 Oct 2021 at 12:10, Mickael Istria wrote:
> Hi all,
>
> While I'm investigating into Maven code to allow re-using checksums of
> Maven artifacts when "p2-ifying" them
Hi all,
While I'm investigating into Maven code to allow re-using checksums of
Maven artifacts when "p2-ifying" them with Tycho, I noticed only .md5 and
.sha1 seems to be used by Wagon and then also noticed that Maven Central
doesn't contain a "safe" digest signature either.
In this world of
13 matches
Mail list logo
