[Interest] sha256 checksums for Qt downloads
Thiago Macieira
thiago.macieira at intel.com
Thu Feb 19 17:42:46 CET 2015
On Thursday 19 February 2015 14:36:42 Jérôme Pinguet wrote:
> Hello!
>
> Would it be possible to add sha256 (and/or sha512) checksums to the Qt
> 4.8.6 download page [1]?
>
> md5 checksums are easily forged in a few days with a couple of GPUs. In
> a post-Snowden era, to avoid security issues with downloads on a page
> that is not https by default, using sha2 (sha256 for instance) is necessary.
>
> Other security enhancements suggested:
>
> * make https default for download pages
> * sign checksums files (md5sums-4.8.6 and the future sha256sums-4.8.6)
> file with a well known Qt developper's GPG key
>
> Thank you for helping all of us improve security and fight malware
> through the use of up-to-date and secure hashing algorithms! :-)
>
> [1] http://download.qt.io/archive/qt/4.8/4.8.6/
The checksums are there. Click the Details link to the right of the file.
The files at the bottom of the listing are created by the old scripts we used
to use when we didn't have the download infrastructure.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Interest
mailing list