Avidemux Forum

Avidemux => Main version 2.6 => Topic started by: douche on April 27, 2018, 03:18:59 PM

Title: You should be Using SHA256/SHA512 on the Downloads Page
Post by: douche on April 27, 2018, 03:18:59 PM
MD5 is easily forged with $10K of computer equipment.

Even SHA1 is no longer safe, according to Google:
https://www.infoworld.com/article/3173845/encryption/google-kills-sha-1-with-successful-collision-attack.html

Please list SHA256/SHA512 hashes for each download.
Title: Re: You should be Using SHA256/SHA512 on the Downloads Page
Post by: AQUAR on April 29, 2018, 12:32:56 PM
Curious if you ever had some sort of issue with avidemux that a check against a hash string would have avoided?

Not that I am against hash verification or that I think it would be hard to automate the generation of a sha hash for each compile.



Title: Re: You should be Using SHA256/SHA512 on the Downloads Page
Post by: eumagga0x2a on April 29, 2018, 01:40:30 PM
Listing cryptographically robust hashes on web pages distributed over HTTP is pointless. The only real improvement would be to use detached GPG signatures (which virtually nobody on Windows will check).

Title: Re: You should be Using SHA256/SHA512 on the Downloads Page
Post by: AQUAR on May 01, 2018, 01:02:30 PM
Stating that hashes are pointless over HTTP is just a bit harsh.

When source and hash are coming from the same origin, it does provide extra integrity verification of the data transmitted.

If there is some malicious intrusion over HTTP then that is another story.

That said I never had an issue with fetching nightlies from the official repository.