[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: [Cryptography] Oracle discovers the 1990s in crypto
From: "Shawn K. Quinn" <skquinn () rushpost ! com>
Date: 2017-01-24 21:38:22
Message-ID: 26c9acf4-0fdb-9e32-6d91-80303a8ce1a0 () rushpost ! com
[Download RAW message or body]
On 01/22/2017 07:05 AM, Jerry Leichter wrote:
> Anyone want to bet on how many pre-build jar files, signed years ago
> with MD5 or short RSA keys, are out there in Maven repositories,
> waiting to cause build and run-time failures all over the planet?
> How many of them will turn out to have long-lost source trees, or
> will have source trees that can no longer be built because the
> tooling around them has deteriorated?
>
> Actually, I suspect that things won't be as bad as they might have
> simply because so many of these widely-shared artifacts aren't signed
> anyway....
Generally, depending on binary blobs is a bad idea. Though a later post
indicates it may be possible to update just the signatures, which would
at least be a decent stopgap measure (i.e. fix the immediate issue of
breakage).
--
Shawn K. Quinn <skquinn@rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic