Replies: 3 comments 1 reply
-
|
I think it's time to do that. Biggest reason to keep producing md5 was so old (ancient now!) Eclipse versions can still read the new p2 sites but everything has a limit and 4 years is more than enough. |
Beta Was this translation helpful? Give feedback.
-
|
Besides the point that old/ancient P2 versions can read newly created p2-repos I see no point in publishing insecure checksums if more secure ones are generated anyways. Hower it should be announced loud (on the mailing list when the PR is opened and in the N&N after it was submitted) that MD5 are not supported anymore and what the implications are. |
Beta Was this translation helpful? Give feedback.
-
|
MD5 is still supported, but we do no longer publish such checksums. |
Beta Was this translation helpful? Give feedback.
-
|
As there seems some kind of consent I have now created: #164 |
Beta Was this translation helpful? Give feedback.
-
I tried to add support for sha1 / sha512 to P2 but that surprisingly revealed a lot of things to consider.
One such point is, that currently P2 produces checksums for all registered
artifactChecksumsextension point, including md5.As we warn for a while (afaiks > 1 year as added with de26c6f) and sha-256 is produced for more than 4 years now (afaiks since > 4 years added with 9e5ac91) I wonder if it is maybe time to completely stop publishing md5 sums in new repositories (we can still read them though).
Given that Tycho is always a bit behind, we most likely will see update-site without md5 site not earlier than 2022-03 ...
Beta Was this translation helpful? Give feedback.
All reactions