Mike,

We use stronger checksums (SHA512) in the SVN[1] area and downloads page[2]
after a vote passes. In fact, we're one of the only "perfect projects" in
regards to compliance with this policy[3].

The Maven staging area doesn't follow all the "SHOULD" statements, but
that's only because these checksums are automatically generated by
maven-deploy-plugin, and not under our direct control. However, it still
follows all the "MUST" statements, so it is still in compliance with the
cited policy. Unless we're willing to circumvent standard Maven tooling and
risk breaking things which depend on the conventions established by this
tooling (which, to be clear, I think would be a really terribly bad idea),
we simply cannot follow all the "SHOULD" statements for the Maven staging
area.

[1]: https://www.apache.org/dist/accumulo/
[2]: https://accumulo.apache.org/downloads/
[3]: https://checker.apache.org/dist/unsummed.html

On Sat, Apr 14, 2018 at 11:13 PM Mike Drob <md...@mdrob.com> wrote:

> -0
>
> please do not publish md5 sums
> please add missing sha256 sums
>
> apache release policy:
> http://www.apache.org/dev/release-distribution#sigs-and-sums
>
> On Sat, Apr 14, 2018 at 11:37 AM, Mike Walch <mwa...@apache.org> wrote:
>
> > +1
> >
> > * Verified sha1 & md5 hashes matched
> > * Verified signatures
> > * Ran binary tarball locally using Uno
> > * Ran 'mvn verify' successfully for wikisearch using RC jars
> >
> > On Thu, Apr 12, 2018 at 6:21 PM, Christopher <ctubb...@apache.org>
> wrote:
> >
> > > Accumulo Developers,
> > >
> > > Please consider the following candidate for Apache Accumulo 1.9.0.
> > >
> > > Git Commit:
> > >     bca516000bdb54b1e5582f908e0a525634a120f7
> > > Branch:
> > >     1.9.0-rc1
> > >
> > > If this vote passes, a gpg-signed tag will be created using:
> > >     git tag -f -m 'Apache Accumulo 1.9.0' -s rel/1.9.0 \
> > >     bca516000bdb54b1e5582f908e0a525634a120f7
> > >
> > > Staging repo:
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1070
> > > Source (official release artifact):
> > > https://repository.apache.org/content/repositories/orgapache
> > >
> >
> accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-src.tar.gz
> > > Binary:
> > > https://repository.apache.org/content/repositories/orgapache
> > >
> >
> accumulo-1070/org/apache/accumulo/accumulo/1.9.0/accumulo-1.9.0-bin.tar.gz
> > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for a
> > > given artifact.)
> > >
> > > All artifacts were built and staged with:
> > >     mvn release:prepare && mvn release:perform
> > >
> > > Signing keys are available at
> https://www.apache.org/dist/accumulo/KEYS
> > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D)
> > >
> > > Release notes (in progress) can be found at:
> > > https://accumulo.apache.org/release/accumulo-1.9.0/
> > >
> > > Please vote one of:
> > > [ ] +1 - I have verified and accept...
> > > [ ] +0 - I have reservations, but not strong enough to vote against...
> > > [ ] -1 - Because..., I do not accept...
> > > ... these artifacts as the 1.9.0 release of Apache Accumulo.
> > >
> > > This vote will remain open until at least Sun Apr 15 22:30:00 UTC 2018
> > > (Sun Apr 15 18:30:00 EDT 2018 / Sun Apr 15 15:30:00 PDT 2018).
> > > Voting continues until the release manager sends an email closing the
> > vote.
> > >
> > > Thanks!
> > >
> > > P.S. Hint: download the whole staging repo with
> > >     wget -erobots=off -r -l inf -np -nH \
> > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheaccumulo-1070/
> > >     # note the trailing slash is needed
> > >
> >
>

Reply via email to