8839 – never use md5 and/or sha1, use sha-3 512 and/or blake3, file signing

Issue 8839 - never use md5 and/or sha1, use sha-3 512 and/or blake3, file signing

Summary: never use md5 and/or sha1, use sha-3 512 and/or blake3, file signing

Status:	VERIFIED FIXED

Alias:	None

Product:	website
Classification:	Unclassified
Component:	website (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-18 12:57 UTC by .
Modified:	2021-04-01 22:24 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description . 2018-04-18 12:57:36 UTC

Full_Name: openldap user
Version: 
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2.87.231.80)


use a 4096-bit rsa key for signing the release files

Comment 1 . 2020-09-20 08:54:23 UTC

openldap-2.4.53.md5                                07-Sep-2020 15:20                  59
openldap-2.4.53.sha1                               07-Sep-2020 15:20                  68


you are still using md5 and sha1. these are broken.

use sha3-512 and/or blake3.

start signing the files. you can use gnupg for that.

Comment 2 Quanah Gibson-Mount 2020-10-12 23:43:17 UTC

https://git.openldap.org/openldap/openldap/-/merge_requests/191

Comment 3 Quanah Gibson-Mount 2020-11-17 19:27:23 UTC

generation of sha3-512 is now in for 2.5

Comment 4 Quanah Gibson-Mount 2021-04-01 22:24:00 UTC

Commits: 
  • 32761fa3 
by Quanah Gibson-Mount at 2021-04-01T21:03:12+00:00 
ITS#8839 - Only generate SHA3 hash now that we also have GPG, drop MD5/SHA1