Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99656 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39091 invoked from network); 28 Jun 2017 15:25:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jun 2017 15:25:46 -0000 Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 74.125.82.48 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 74.125.82.48 mail-wm0-f48.google.com Received: from [74.125.82.48] ([74.125.82.48:38610] helo=mail-wm0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F8/E1-07609-97AC3595 for ; Wed, 28 Jun 2017 11:25:46 -0400 Received: by mail-wm0-f48.google.com with SMTP id b184so62758964wme.1 for ; Wed, 28 Jun 2017 08:25:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=M0z8rJ8hCMnaOvYd9ZXwkReHa7BAUypLXhzNsgkFnyw=; b=B++XXZJD/FHbpKBoihN63+3E3k8iqXVIXQINYlZePq5rC7aueArxQfncGKepoOydb1 eCevSB0uW51B0fzt6mpFVMKLv7OxW98rYrYhrOMA3y5CvNG0HK96WuTKfbmNa9XyFadQ wkTyCWXA9sNh6vIXVZUd4Ag03PAWtCzVUuC1+hDIejUss8laeR5IsQISOxxnihC0sj2l KlbO8KApRuuX5T47uM2VL6HrnXjZoXyPVwimvqPGionCFvd2QBGMnoFEW1NjZxnO2pYY X+ftaQGSVJOekbbIBGLhVUoj1Mjrs3molGwsEZ5ifzSrOCNFam/LfI5BXhVddn9g8431 94ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=M0z8rJ8hCMnaOvYd9ZXwkReHa7BAUypLXhzNsgkFnyw=; b=i6bucJKpWQe6uhKHpYdyPbs4V6mDCH9kq2vZdm/Yy3COVid0VM3+yA6PPQY+x7aDny yR83AHqCvODVcoPXP040CHUsJ/I51UwPyz9C7i45xQKK2Owdho5t7Lt/+M/L0l1KtJ+x 81BW5C7TdNEPjdVkvIs0wRFNnVqOqdcColnalGVwVADgD5/gCwB4Ie2acnXgG6SCWaj8 6p0aLfm1stptPPfUvBsLhWOAoo5aCD9ZKiTr2Oj3m1YTi9KGLxjTNIgOBqMxOygzw/s7 WqMbvWaT1WIH67m7CpWNATykB0H4+t9VbNJ9hkPXJ4w2PrznIFyJgH2kYB5Qn2/liIV8 KdTA== X-Gm-Message-State: AKS2vOw6OzSFQQPaJ71zDNDMao+98L3mias5j8p+QTW3WFr14A7DBh/L 4C/tcvq90Nlo2kG5avve5tZM+sYqSmuVYWg= X-Received: by 10.28.203.137 with SMTP id b131mr8453981wmg.50.1498663542479; Wed, 28 Jun 2017 08:25:42 -0700 (PDT) MIME-Version: 1.0 Sender: php@golemon.com Received: by 10.223.169.139 with HTTP; Wed, 28 Jun 2017 08:25:42 -0700 (PDT) X-Originating-IP: [71.251.16.204] In-Reply-To: References: Date: Wed, 28 Jun 2017 11:25:42 -0400 X-Google-Sender-Auth: zT6hbqHGUyTtkR22LwauRRin0kg Message-ID: To: Niklas Keller Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] MD5 no longer part of release process From: pollita@php.net (Sara Golemon) On Wed, Jun 28, 2017 at 2:58 AM, Niklas Keller wrote: > 2017-06-28 4:19 GMT+02:00 Sara Golemon : >> I've pushed two commits to remove MD5 from www.php.net and qa.php.net, >> however it should be noted that I left a fair amount of md5 in web-php >> because very old releases have neither GPG signatures nor SHA256 >> checksums, and while MD5 is weak and broken, it's better than nothing. >> > Can't we just rehash them? > If we agree that we trust the existing binaries haven't been compromised at any point, sure. But at that point we'd be saying "Here's a trustable sha256/gpg signature for a file" when really it's "Here's a signature that's only really as trustable as the md5 we used to verify it when we rehashed". In the interest of not presenting a false sense of security, I'd vote "No" on that. Our past few years of releases are more reliably signed, and we can be honest about what's in the attic. That all said, it wouldn't be a terrible idea to anchor some gpg sigs of the old archives (in an explicitly flagged repo) just to be able to say "They haven't changed since Jun 2017". -Sara