[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: [PATCH] use SHA-2 hashes for releases

From: Markus Schaber <m.schaber_at_codesys.com>
Date: Thu, 29 Jun 2017 07:42:17 +0000

Hi,

From: Daniel Shahaf [mailto:d.s_at_daniel.shahaf.name]
> Andreas Stieger wrote on Wed, 28 Jun 2017 09:05 +0200:
> > On 06/28/2017 07:42 AM, Daniel Shahaf wrote:
> > > Andreas Stieger wrote on Sat, 10 Jun 2017 12:24 +0200:
> > >> Found this laying around... maybe someone who previously made
> > >> releases could check it out.
> > >
> > > Any news about this patch? I have some pending tweaks to release.py
> > > and don't want to conflict.
> >
> > No news.
>
> Okay. I'm +1 to the concept of moving to a stronger hash. The patch looks
> good, although I only reviewed the hunks (I haven't reviewed the context).
>
> I'll go ahead with my tweaks: what I have so far isn't likely to conflict
> with your in-flight patch.
>
> > > As I said about an earlier iteration: I think the main question is
> > > whether we want to provide both sha1 and sha2 hashes for a
> > > transition period. I.e., do we try for compatibility or force people to
> > > switch over to sha2.
> >
> > Those that may fail to change their "verification" from sha-1 to sha-2
> > may not have been very useful in any kind of verification in the first
> > place. So unless there is a technical reason (which I do not see) I
> > would just change it.
>
> Well, sha1 verification is still useful for verifiers who trust the release
> manager to be honest, since only a collision attack has been demonstrated,
> not a chosen plaintext attack. But I was mainly thinking of not requiring
> downstreams to update their release download scripts between 1.9.5 and 1.9.6.

I'd vote to provide both SHA1 and SHA2 for existing stable branches (1.8.x,
1.9.x), and move to SHA2 only for 1.10 and ongoing releases.

Just for the sake of backwards compatibility with existing downstream
infrastructure. I agree that SHA1 is not completely useless for verification,
it seems still useful against MITM attacks, or malicious download servers.

Best regards

Markus Schaber

CODESYS® a trademark of 3S-Smart Software Solutions GmbH

Inspiring Automation Solutions

3S-Smart Software Solutions GmbH
Dipl.-Inf. Markus Schaber | Product Development Core Technology
Memminger Str. 151 | 87439 Kempten | Germany
Tel. +49-831-54031-979 | Fax +49-831-54031-50

E-Mail: m.schaber@codesys.com | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com
CODESYS forum: http://forum.codesys.com

Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received
this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure
or distribution of the material in this e-mail is strictly forbidden.
Received on 2017-06-29 09:55:11 CEST

This is an archived mail posted to the Subversion Dev mailing list.