Provide sha hashes for JBT/JBDS files on tools.jboss.org -------------------------------------------------------- Key: JBIDE-17162 URL: https://issues.jboss.org/browse/JBIDE-17162 Project: Tools (JBoss Tools) Issue Type: Enhancement Components: website Affects Versions: 4.2.0.Beta1 Reporter: Marián Labuda We are providing md5s hashes for JBT and JBDS files (archives links under Update Site Zip). Bcs. it is long known about md5 security flaws (collisions) it is recommended to use sha hashes instead. Question is - do we provide md5 hashes only because of data integrity (if there are any missing bits after download) or we are trying to ensure security? In first case it's enough to use md5 (although there could be also hash collisions but it's unlikely). In second case there could be for example performed MITM attack (or any other...) and our files could be replaced by malformed/infected - there should be provided sha hashes instead of md5, but there still remains question if it would be enough without having not-secured web pages (without certificate) and sha links leading to sourceforge (I think that it would not be enough and hashes would have to be stored on tools.jboss.org domain).