bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Support Metalink's md5, sha1, sha256, sha384, and


From: Tim Ruehsen
Subject: Re: [Bug-wget] [PATCH] Support Metalink's md5, sha1, sha256, sha384, and sha512 hashes
Date: Tue, 02 Aug 2016 11:46:08 +0200
User-agent: KMail/5.2.3 (Linux/4.6.0-1-amd64; KDE/5.23.0; x86_64; ; )

On Tuesday, August 2, 2016 9:31:07 AM CEST Matthew White wrote:
> On Sat, 30 Jul 2016 12:01:16 +0200
> 
> Matthew White <address@hidden> wrote:
> > Hello,
> > I see that Metalink's checksum verification is limited to sha256.
> > 
> > I cannot find an option to enable md5, sha1, sha384, or sha512.
> > 
> > Attached to this message there is a patch to add md5, sha1, sha384, and
> > sha512 computation to the Metalink module.
> > 
> > Let me know what you think.
> 
> Hi,
> 
> After the suggestions of Tim, I changed the patch description. So, scratch
> the previous patch and use this one instead.
> 
> I also added support for sha-224 to the Metalink module.
> 
> There are two patches attached, the second one adds support for the
> deprecated md2 and md4, since they are insecure I prefer to keep the patch
> separated from the main one.
> 
> Do you think it's right to enable md2 and md4? Let me know.

IMO, this is right.
I don't see a security issue here - these algorithms are good enough to check 
the data integrity and that is all we use it for.

For authenticity we have TLS and/or the included GPG signature - where we 
could think about limiting/checking trusted identities only (or interactively 
ask the user if he knows/trusts the signer).

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]