[slf4j-user] Signatures for verifying Slf4j

Ceki Gülcü ceki at qos.ch
Thu May 13 22:01:01 CEST 2010


On 13/05/2010 8:01 AM, Elisha Ebenezer wrote:
> Ceki,
> I've raised the bug report upon your suggestion. Bug#183
> <http://bugzilla.slf4j.org/show_bug.cgi?id=183>
> However, I still request you to specify the md5/sha1 checksums on your site.
> This will help us to atleast convince our security team that, integrity
> of the downloaded files can be verified.
> Please do the needful.
> Thanks,
> Elisha Ebenezer.

An md5 or sha1 checksum on http://slf4j.org would not provide any
additional security because any adversary who can corrupt the
distribution files on our site can also, in all likelihood, corrupt
the checksums appearing on the same site.

I am quite surprised to hear any knowledgeable security professional
would consider a cryptographic checksum as providing any sort of
integrity assurance because it does not.


More information about the slf4j-user mailing list