[Cryptography] Oracle discovers the 1990s in crypto
Shawn K. Quinn
skquinn at rushpost.com
Tue Jan 24 16:38:22 EST 2017
On 01/22/2017 07:05 AM, Jerry Leichter wrote:
> Anyone want to bet on how many pre-build jar files, signed years ago
> with MD5 or short RSA keys, are out there in Maven repositories,
> waiting to cause build and run-time failures all over the planet?
> How many of them will turn out to have long-lost source trees, or
> will have source trees that can no longer be built because the
> tooling around them has deteriorated?
>
> Actually, I suspect that things won't be as bad as they might have
> simply because so many of these widely-shared artifacts aren't signed
> anyway....
Generally, depending on binary blobs is a bad idea. Though a later post
indicates it may be possible to update just the signatures, which would
at least be a decent stopgap measure (i.e. fix the immediate issue of
breakage).
--
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com
More information about the cryptography
mailing list