[Project_owners] Stronger Hash Support for Secure Installations and Updates

Douglas E. Warner silfreed at silfreed.net
Mon Jun 1 12:02:54 PDT 2009

Ever since released [1] our file release system [2] (including secure updates
and installations of .xpi files) we've planned on improving the support of
hashes. We didn't originally realize that md5 was no longer on the list of
hashes [3], and with sha1 having its own share of problems recently, the need
for stronger hashes was increased.

So finally we have dropped support for md5 as well and support only the
stronger hash mechanisms (sha1, sha256, sha384, and sha512). We still
auto-detect the hash type by the length of the hash submitted in the file
management tool, so the procedure is exactly the same. Any existing md5
hashes are still in our system and presented by our secure install links but
are considered deprecated.


[1] http://www.mozdev.org/drupal/blog/Project-overview-page
[2] http://www.mozdev.org/drupal/wiki/MozdevDownloadReleases

Douglas E. Warner    <silfreed at silfreed.net>    Site Developer
Mozdev.org           http://www.mozdev.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.mozdev.org/pipermail/project_owners/attachments/20090601/3ace2a92/attachment.bin>

More information about the Project_owners mailing list