On Thu, May 19, 2016 at 2:43 AM Stian Soiland-Reyes
wrote:
> In principle +1, a PGP signature based on sha1 is not cryptographically
> strong.
>
> Obviously blindly checking a PGP signature, even after importing the KEYS
> from https://www.apache.org/dist, that is also not any
+0 on my side. Seems a good thing, but I may not master all the aspects.
Martin
Le 18/05/16 à 13:45, Christopher a écrit :
> Hi all,
>
> I'm not sure a better list to get feedback on, but I wanted to bring
> attention to the proposal here:
> https://issues.apache.org/jira/browse/MPOM-118
>
+1
On Wed, May 18, 2016 at 7:45 PM, Christopher wrote:
> Hi all,
>
> I'm not sure a better list to get feedback on, but I wanted to bring
> attention to the proposal here:
> https://issues.apache.org/jira/browse/MPOM-118
>
> Essentially this is a suggestion to configure the
In principle +1, a PGP signature based on sha1 is not cryptographically
strong.
Obviously blindly checking a PGP signature, even after importing the KEYS
from https://www.apache.org/dist, that is also not any proof you got the
intended release, just an artifact by someone who previously signed
Yes, that is correct. I'm referring to the ASF-wide parent pom.
If I understand the situation correctly, releases of that POM are managed
by the Maven PMC, but because of it's utility throughout the ASF, Hervé
Boutemy had commented on MPOM-118 that it should be brought to the
attention of a
Greg, the proposal is for the _Default ASF POM_ to be set up so that
_all_ projects would use SHA-512. This is not a question for the Maven
PMC.
On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk wrote:
>
> Hi Christopher:
>
> Thanks for your involvement. Apache Maven is one
Hi all,
I'm not sure a better list to get feedback on, but I wanted to bring
attention to the proposal here:
https://issues.apache.org/jira/browse/MPOM-118
Essentially this is a suggestion to configure the maven-gpg-plugin to sign
using SHA512 as its digest algorithm in the ASF Parent POM, used