You should be Using SHA256/SHA512 on the Downloads Page

Started by douche, April 27, 2018, 03:18:59 PM

Previous topic - Next topic

douche

MD5 is easily forged with $10K of computer equipment.

Even SHA1 is no longer safe, according to Google:
https://www.infoworld.com/article/3173845/encryption/google-kills-sha-1-with-successful-collision-attack.html

Please list SHA256/SHA512 hashes for each download.

AQUAR

Curious if you ever had some sort of issue with avidemux that a check against a hash string would have avoided?

Not that I am against hash verification or that I think it would be hard to automate the generation of a sha hash for each compile.




eumagga0x2a

Listing cryptographically robust hashes on web pages distributed over HTTP is pointless. The only real improvement would be to use detached GPG signatures (which virtually nobody on Windows will check).


AQUAR

Stating that hashes are pointless over HTTP is just a bit harsh.

When source and hash are coming from the same origin, it does provide extra integrity verification of the data transmitted.

If there is some malicious intrusion over HTTP then that is another story.

That said I never had an issue with fetching nightlies from the official repository.