[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements
Jesper Skov (JIRA)
issues at jboss.org
Wed Jul 5 00:40:00 EDT 2017
[ https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13431023#comment-13431023 ]
Jesper Skov commented on JBIDE-24642:
-------------------------------------
Including them on the download page would also be fine. This is what I see at e.g. eclipse.org and sonatype.org.
Anywhere that is hosted elsewhere/differently than the actual (possibly mirrored) files would suffice in my view.
Whichever makes it the simplest to do, but including the checksums at all three places would also work :)
Cheers!
> Please include sha256 checksums in announcements
> ------------------------------------------------
>
> Key: JBIDE-24642
> URL: https://issues.jboss.org/browse/JBIDE-24642
> Project: Tools (JBoss Tools)
> Issue Type: Feature Request
> Components: build, website
> Reporter: Jesper Skov
> Assignee: Nick Boldt
> Fix For: LATER
>
>
> I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
> Or even better, verify a signature.
> Today, when I want to use a JBossTools release, I would download
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
> And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
> If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
> So the current checksum can really only be used to verify the integrity of the downloaded file.
> Not that its contents is untampered.
> If the jar-files in the archive were signed, it would be less of an issue...
> Signed artifacts would be best. But would probably take some effort to put in place.
> A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list