[jbosstools-issues] [JBoss JIRA] (JBIDE-24642) Please include sha256 checksums in announcements
Nick Boldt (JIRA)
issues at jboss.org
Mon Jul 24 18:52:00 EDT 2017
[ https://issues.jboss.org/browse/JBIDE-24642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Boldt updated JBIDE-24642:
-------------------------------
Fix Version/s: 4.5.0.Final
(was: LATER)
> Please include sha256 checksums in announcements
> ------------------------------------------------
>
> Key: JBIDE-24642
> URL: https://issues.jboss.org/browse/JBIDE-24642
> Project: Tools (JBoss Tools)
> Issue Type: Feature Request
> Components: build, website
> Reporter: Jesper Skov
> Assignee: Nick Boldt
> Fix For: 4.5.0.Final
>
>
> I would like to be able to verify checksums on downloaded JBoss artifacts - both EAP and eclipse-related binaries.
> Or even better, verify a signature.
> Today, when I want to use a JBossTools release, I would download
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip
> And my only opportunity to verify the file is by downloading the sha256 file that lies next to it:
> http://download.jboss.org/jbosstools/static/oxygen/development/updates/core/jbosstools-4.5.0.AM1-updatesite-core.zip.sha256
> If a hacker manages to replace the updatesite archive with compromised files, I assume they will have the brains to also update the checksum file next to it.
> So the current checksum can really only be used to verify the integrity of the downloaded file.
> Not that its contents is untampered.
> If the jar-files in the archive were signed, it would be less of an issue...
> Signed artifacts would be best. But would probably take some effort to put in place.
> A simpler remedy would be to include the checksums in the announcement. This would give an additional factor of security for those who care about that.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jbosstools-issues
mailing list