62821 – Use SHA-512 checksums instead of MD5 to verify jar downloads

Bug 62821 - Use SHA-512 checksums instead of MD5 to verify jar downloads

Summary: Use SHA-512 checksums instead of MD5 to verify jar downloads

Status:	RESOLVED FIXED

Alias:	None

Product:	JMeter - Now in Github
Classification:	Unclassified
Component:	Main (show other bugs)
Version:	5.0
Hardware:	All All

Importance:	P2 enhancement (vote)
Target Milestone:	JMETER_5.1
Assignee:	JMeter issues mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-12 19:45 UTC by Felix Schumacher
Modified:	2018-12-18 22:29 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Schumacher 2018-10-12 19:45:05 UTC

MD5 is considered broken, so we should verify downloaded artefacts for our build process with a non broken checksum. SHA-512 is considered safe -- at the moment.

Comment 1 Felix Schumacher 2018-10-12 19:50:06 UTC

Date: Fri Oct 12 19:49:33 2018
New Revision: 1843694

URL: http://svn.apache.org/viewvc?rev=1843694&view=rev
Log:
Use SHA-512 checksums instead of MD5 to verify jar downloads

Closes #405 on github
Bugzilla Id: 62821

Modified:
    jmeter/trunk/build.properties
    jmeter/trunk/build.xml
    jmeter/trunk/xdocs/changes.xml

Comment 2 Felix Schumacher 2018-10-12 20:18:27 UTC

Date: Fri Oct 12 20:17:55 2018
New Revision: 1843699

URL: http://svn.apache.org/viewvc?rev=1843699&view=rev
Log:
Correct SHA-512 checksum for xercesImpl and httpasyncclient

Followup to r1843694 Use SHA-512 checksums instead of MD5 to verify jar downloads

Relates #405 on github
Bugzilla Id: 62821

Comment 3 The ASF infrastructure team 2022-09-24 20:38:14 UTC

This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/4891