[Interest] sha256 checksums for Qt downloads
Samuel Gaist
samuel.gaist at edeltech.ch
Thu Feb 19 16:24:55 CET 2015
On 19 févr. 2015, at 16:05, Bo Thorsen <bo at vikingsoft.eu> wrote:
> On 02/19/2015 02:36 PM, Jérôme Pinguet wrote:
>> Hello!
>>
>> Would it be possible to add sha256 (and/or sha512) checksums to the Qt
>> 4.8.6 download page [1]?
>>
>> md5 checksums are easily forged in a few days with a couple of GPUs. In
>> a post-Snowden era, to avoid security issues with downloads on a page
>> that is not https by default, using sha2 (sha256 for instance) is necessary.
>>
>> Other security enhancements suggested:
>>
>> * make https default for download pages
>> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6)
>> file with a well known Qt developper's GPG key
>>
>> Thank you for helping all of us improve security and fight malware
>> through the use of up-to-date and secure hashing algorithms! :-)
>>
>> [1] http://download.qt.io/archive/qt/4.8/4.8.6/
>
> There's a very clear rule in 4.8: No new features are allowed. It's
> pretty much only security fixes that will find it's way to this. Perhaps
> some bug fixes as well.
>
> So no, you won't get this for a 4.8 based application.
>
> Your options are to upgrade Qt to 5.x (which you probably chose not to
> for some reason) or to implement it yourself.
>
> If you need this for a 4.8 based application, you can just create your
> own Qt patch and build Qt yourself with it. It shouldn't be difficult to
> port the code from the 5.x sources to 4.8.
>
> Bo Thorsen,
> Director, Viking Software.
>
> --
> Viking Software
> Qt and C++ developers for hire
> http://www.vikingsoft.eu
> _______________________________________________
Hi,
@Bo
I think the OP was just asking to add the information on the download page and secure it using https
@Jérome
It's available in the "Details" for each download
Cheers
Samuel
More information about the Interest
mailing list