[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements

Jesper Skov (JIRA) issues at jboss.org
Wed Jul 5 00:40:00 EDT 2017 

    [ https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13431023#comment-13431023 ] 

Jesper Skov commented on JBIDE-24642:
-------------------------------------

Including them on the download page would also be fine. This is what I see at e.g. eclipse.org and sonatype.org.

Anywhere that is hosted elsewhere/differently than the actual (possibly mirrored) files would suffice in my view.

Whichever makes it the simplest to do, but including the checksums at all three places would also work :)

Cheers!


> Please include sha256 checksums in announcements
> ------------------------------------------------
>
>                 Key: JBIDE-24642
>                 URL: https://issues.jboss.org/browse/JBIDE-24642
>             Project: Tools (JBoss Tools)
>          Issue Type: Feature Request
>          Components: build, website
>            Reporter: Jesper Skov
>            Assignee: Nick Boldt
>             Fix For: LATER
>
>
> I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
> Or even better, verify a signature.
> Today, when I want to use a JBossTools release, I would download
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
> And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
> If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
> So the current checksum can really only be used to verify the integrity of the downloaded file.
> Not that its contents is untampered.
> If the jar-files in the archive were signed, it would be less of an issue...
> Signed artifacts would be best. But would probably take some effort to put in place.
> A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jbosstools-issues mailing list