[Interest] sha256 checksums for Qt downloads

Jérôme Pinguet jerome at jerome.cc
Thu Feb 19 16:39:04 CET 2015


On 19/02/2015 16:24, Samuel Gaist wrote:
> On 19 févr. 2015, at 16:05, Bo Thorsen <bo at vikingsoft.eu> wrote:
>
>> On 02/19/2015 02:36 PM, Jérôme Pinguet wrote:
>>> Hello!
>>>
>>> Would it be possible to add sha256 (and/or sha512) checksums to the Qt
>>> 4.8.6 download page [1]?
>>>
>>> md5 checksums are easily forged in a few days with a couple of GPUs. In
>>> a post-Snowden era, to avoid security issues with downloads on a page
>>> that is not https by default, using sha2 (sha256 for instance) is necessary.
>>>
>>> Other security enhancements suggested:
>>>
>>> * make https default for download pages
>>> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6)
>>> file with a well known Qt developper's GPG key
>>>
>>> Thank you for helping all of us improve security and fight malware
>>> through the use of up-to-date and secure hashing algorithms! :-)
>>>
>>> [1] http://download.qt.io/archive/qt/4.8/4.8.6/
>> There's a very clear rule in 4.8: No new features are allowed. It's 
>> pretty much only security fixes that will find it's way to this. Perhaps 
>> some bug fixes as well.
>>
>> So no, you won't get this for a 4.8 based application.
>>
>> Your options are to upgrade Qt to 5.x (which you probably chose not to 
>> for some reason) or to implement it yourself.
>>
>> If you need this for a 4.8 based application, you can just create your 
>> own Qt patch and build Qt yourself with it. It shouldn't be difficult to 
>> port the code from the 5.x sources to 4.8.
>>
>> Bo Thorsen,
>> Director, Viking Software.
>>
>> -- 
>> Viking Software
>> Qt and C++ developers for hire
>> http://www.vikingsoft.eu
>> _______________________________________________
> Hi,
>
> @Bo
> I think the OP was just asking to add the information on the download page and secure it using https
>
> @Jérome
> It's available in the "Details" for each download
Ok. Thank you very much! One should always check for the details before
complaining... ;-)

I still have a few complaints though: no https by default and no GPG
authentication of the checksums. Firefox complains about the https
version of the page because a few elements are note served through https...

Putting sha256 in the forefront instead of md5 would be a good idea too
I guess.

I hope someone in charge of the security at Qt reads this and takes
action. :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20150219/da8917ec/attachment.sig>


More information about the Interest mailing list