[Cryptography] Oracle discovers the 1990s in crypto

[John Levine]

>Anyone want to bet on how many pre-build jar files, signed years ago with MD5 or short RSA keys, are out there
>in Maven repositories, waiting to cause build and run-time failures all over the planet?  How many of them
>will turn out to have long-lost source trees, or will have source trees that can no longer be built because
>the tooling around them has deteriorated?

That's probably not such a bad problem -- you can strip the signatures
off a .JAR file using zip/unzip and a text editor, then resign it with
the usual signature tools, without touching the code in the file.  You
can also add new signatures and hashes leaving the old ones in place,
and it's supposed to work.

The question, of course, is whether the legacy-ware that uses these
old files will accept newer signatures.

R's,
John