Posts: 10
Threads: 2
Joined: Aug 2015
Since Sourceforge is now considered corrupted (see articles on the internet), I suggest we :
- either leave them (but given the size of ac that could mean bandwidth problem, so I understand if we don't)
- either put the SHA 512 checksum (
https://en.wikipedia.org/wiki/Cryptograp...r_messages) of the file in the download section
Second option seems the best. It's easy and would avoid the temptation of sourceforce putting some malicious code into the game archives.
Problems I see :
- are checksums easily accessible in windows (I use Unix and I have no idea) ?
- must not forget to update the checksum with the game version available for ddl (although that can certainly be automated)
Posts: 2,387
Threads: 56
Joined: Aug 2010
11 Aug 15, 02:41PM
(This post was last modified: 11 Aug 15, 02:42PM by ExodusS.)
When you download the game, the name of the file on SourceForge is named "AssaultCube (has moved to Github)".
Posts: 10
Threads: 2
Joined: Aug 2015
But the binaries are on sf... Do you expect the average user to build the game themself ?
Posts: 1,033
Threads: 85
Joined: Oct 2013
Posts: 10
Threads: 2
Joined: Aug 2015
11 Aug 15, 03:40PM
(This post was last modified: 11 Aug 15, 03:41PM by damien.)
MD5 is broken...
https://en.wikipedia.org/wiki/Md5#Security
But yea I guess there are plenty of tools.
(should be included by default tho... aah, windos)
Posts: 992
Threads: 35
Joined: Mar 2011
11 Aug 15, 11:27PM
(This post was last modified: 11 Aug 15, 11:29PM by Waffles.)
SHA is the way to go.
Posts: 10
Threads: 2
Joined: Aug 2015
SHA256 or more, SHA1 being broken too lol.
Posts: 1,033
Threads: 85
Joined: Oct 2013
My bad. I jumped directly to "Problems" section.
Posts: 354
Threads: 1
Joined: Jun 2010
SHA1 isn't _broken_ broken, it has a known "theoretical weakness", and is as of now still secure in practice. Even MD5 works in practice unless someone with funding from a multinational megacorp or a nation-state is out to get you, which I doubt is the case with AC. I'm definitely not advocating MD5 though, but SHA1 is still fine.
No SHA1 collisions (even artificially produced) are known to exist, and it's widely enough used to be a safe common denominator (Microsoft's own file checker tool, for example, only does MD5 and SHA1 AFAIK), so a SHA1 checksum should probably be included at least for those users.
Posts: 10
Threads: 2
Joined: Aug 2015
https://www.schneier.com/blog/archives/2...roken.html
It's breakable by anybody having a "little" money... We don't know who controls sourceforge. And today, cloud computing is quite easily available. No need to get paranoid, but as a common matter of principle, let's avoid them.
And anyway, we don't need to worry when using sha256 isn't more complicated.
Posts: 1,033
Threads: 85
Joined: Oct 2013
(19 Aug 15, 06:38PM)damien Wrote: We don't know who controls sourceforge.
Dice Holdings, Inc:
https://en.wikipedia.org/wiki/SourceForge
Posts: 855
Threads: 68
Joined: Jun 2010
who controls sha256? sha-ception
Posts: 354
Threads: 1
Joined: Jun 2010
(19 Aug 15, 06:38PM)damien Wrote: https://www.schneier.com/blog/archives/2...roken.html
It's breakable by anybody having a "little" money... We don't know who controls sourceforge. And today, cloud computing is quite easily available. No need to get paranoid, but as a common matter of principle, let's avoid them.
And anyway, we don't need to worry when using sha256 isn't more complicated.
That's old news. That is the theoretical vulnerability that I mentioned. 10 years later, there are still no practical attacks that work for SHA1, even if you have a "little" money. And anyway, it's no extra effort to include SHA1 hash for those who don't have the tools for other hashes.
Posts: 12
Threads: 1
Joined: Aug 2015
22 Aug 15, 06:14AM
(This post was last modified: 22 May 16, 11:13AM by Brett.)
edit
