[Interest] sha256 checksums for Qt downloads

Bo Thorsen bo at vikingsoft.eu
Thu Feb 19 16:05:13 CET 2015


On 02/19/2015 02:36 PM, Jérôme Pinguet wrote:
> Hello!
>
> Would it be possible to add sha256 (and/or sha512) checksums to the Qt
> 4.8.6 download page [1]?
>
> md5 checksums are easily forged in a few days with a couple of GPUs. In
> a post-Snowden era, to avoid security issues with downloads on a page
> that is not https by default, using sha2 (sha256 for instance) is necessary.
>
> Other security enhancements suggested:
>
> * make https default for download pages
> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6)
> file with a well known Qt developper's GPG key
>
> Thank you for helping all of us improve security and fight malware
> through the use of up-to-date and secure hashing algorithms! :-)
>
> [1] http://download.qt.io/archive/qt/4.8/4.8.6/

There's a very clear rule in 4.8: No new features are allowed. It's 
pretty much only security fixes that will find it's way to this. Perhaps 
some bug fixes as well.

So no, you won't get this for a 4.8 based application.

Your options are to upgrade Qt to 5.x (which you probably chose not to 
for some reason) or to implement it yourself.

If you need this for a 4.8 based application, you can just create your 
own Qt patch and build Qt yourself with it. It shouldn't be difficult to 
port the code from the 5.x sources to 4.8.

Bo Thorsen,
Director, Viking Software.

-- 
Viking Software
Qt and C++ developers for hire
http://www.vikingsoft.eu



More information about the Interest mailing list