Re: SHA512 by default for GPG sigs

2016-05-19 Thread Christopher
On Thu, May 19, 2016 at 2:43 AM Stian Soiland-Reyes wrote: > In principle +1, a PGP signature based on sha1 is not cryptographically > strong. > > Obviously blindly checking a PGP signature, even after importing the KEYS > from https://www.apache.org/dist, that is also not any

Re: SHA512 by default for GPG sigs

2016-05-19 Thread Martin Desruisseaux
+0 on my side. Seems a good thing, but I may not master all the aspects. Martin Le 18/05/16 à 13:45, Christopher a écrit : > Hi all, > > I'm not sure a better list to get feedback on, but I wanted to bring > attention to the proposal here: > https://issues.apache.org/jira/browse/MPOM-118 >

Re: SHA512 by default for GPG sigs

2016-05-19 Thread Sergio Fernández
+1 On Wed, May 18, 2016 at 7:45 PM, Christopher wrote: > Hi all, > > I'm not sure a better list to get feedback on, but I wanted to bring > attention to the proposal here: > https://issues.apache.org/jira/browse/MPOM-118 > > Essentially this is a suggestion to configure the

Re: SHA512 by default for GPG sigs

2016-05-19 Thread Stian Soiland-Reyes
In principle +1, a PGP signature based on sha1 is not cryptographically strong. Obviously blindly checking a PGP signature, even after importing the KEYS from https://www.apache.org/dist, that is also not any proof you got the intended release, just an artifact by someone who previously signed

Re: SHA512 by default for GPG sigs

2016-05-18 Thread Christopher
Yes, that is correct. I'm referring to the ASF-wide parent pom. If I understand the situation correctly, releases of that POM are managed by the Maven PMC, but because of it's utility throughout the ASF, Hervé Boutemy had commented on MPOM-118 that it should be brought to the attention of a

Re: SHA512 by default for GPG sigs

2016-05-18 Thread Benson Margulies
Greg, the proposal is for the _Default ASF POM_ to be set up so that _all_ projects would use SHA-512. This is not a question for the Maven PMC. On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk wrote: > > Hi Christopher: > > Thanks for your involvement. Apache Maven is one

SHA512 by default for GPG sigs

2016-05-18 Thread Christopher
Hi all, I'm not sure a better list to get feedback on, but I wanted to bring attention to the proposal here: https://issues.apache.org/jira/browse/MPOM-118 Essentially this is a suggestion to configure the maven-gpg-plugin to sign using SHA512 as its digest algorithm in the ASF Parent POM, used