[jbosstools-issues] [JBoss JIRA] (JBIDE-17162) Provide sha hashes for JBT/JBDS files on tools.jboss.org
Nick Boldt (JIRA)
issues at jboss.org
Mon May 5 03:30:56 EDT 2014
[ https://issues.jboss.org/browse/JBIDE-17162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Boldt updated JBIDE-17162:
-------------------------------
Fix Version/s: 4.2.0.Beta2
> Provide sha hashes for JBT/JBDS files on tools.jboss.org
> --------------------------------------------------------
>
> Key: JBIDE-17162
> URL: https://issues.jboss.org/browse/JBIDE-17162
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: website
> Affects Versions: 4.2.0.Beta1
> Reporter: Marián Labuda
> Fix For: 4.2.0.Beta2
>
>
> We are providing md5s hashes for JBT and JBDS files (archives links under Update Site Zip). Bcs. it is long known about md5 security flaws (collisions) it is recommended to use sha hashes instead.
> Question is - do we provide md5 hashes only because of data integrity (if there are any missing bits after download) or we are trying to ensure security? In first case it's enough to use md5 (although there could be also hash collisions but it's unlikely). In second case there could be for example performed MITM attack (or any other...) and our files could be replaced by malformed/infected - there should be provided sha hashes instead of md5, but there still remains question if it would be enough without having not-secured web pages (without certificate) and sha links leading to sourceforge (I think that it would not be enough and hashes would have to be stored on tools.jboss.org domain).
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the jbosstools-issues
mailing list