Mike, We already stopped using md5 and sha1 for the release artifacts on the mirrors. I did this some time ago, and we discussed it on list on previous vote threads (last year)... which resulted in me changing the release candidate build script automated tooling to embed the SHA512 sums for the tarballs directly in the release vote message. I even went back and updated the downloads page for the previous releases and updated the mirrors to be SHA512 only. Because of these steps I took, Accumulo was one of the first projects across the entire ASF who were 100% compliant immediately after INFRA VP updated the release distribution policy you linked.
*This is a resolved action for Accumulo.* FWIW, SHA512 was also used as the hash algorithm in the GPG signature (same as every RC I've ever prepped for ASF). The only remaining md5 and sha1 reference are Maven-specific tooling, and we have no control over that tooling. We could change the vote template to no longer mention them, but I don't see the point since they're still relevant within the context of Maven artifact hosting, and that's the context in which they are presented in the vote email. On Sun, Mar 31, 2019 at 1:59 PM Michael Wall <[email protected]> wrote: > > -1 for the issue with commons config > > I check the signatures, they are good. We should stop using md5 and sha1 > though, see https://www.apache.org/dev/release-distribution#sigs-and-sums. > Has anyone looked at moving to sha256 and/org sha512? > Successful run of mvn clean verify -Psunny > > On Sat, Mar 30, 2019 at 11:31 PM Keith Turner <[email protected]> wrote: > > > I completed a continuous ingest run on a 10 node cluster running > > Centos 7. I used the native map. I had to rebuild Accumulo to work > > around #1065 inorder to get the verify M/R job to run. > > > > org.apache.accumulo.test.continuous.ContinuousVerify$Counts > > REFERENCED=34417110819 > > UNREFERENCED=9097524 > > > > On Wed, Mar 27, 2019 at 7:57 PM Christopher <[email protected]> wrote: > > > > > > Accumulo Developers, > > > > > > Please consider the following candidate for Apache Accumulo 1.9.3. > > > > > > This supersedes RC1 and contains the following change: > > > https://github.com/apache/accumulo/pull/1057 > > > > > > Git Commit: > > > 94f9782242a1f336e176c282f0f90063a21e361d > > > Branch: > > > 1.9.3-rc2 > > > > > > If this vote passes, a gpg-signed tag will be created using: > > > git tag -f -m 'Apache Accumulo 1.9.3' -s rel/1.9.3 \ > > > 94f9782242a1f336e176c282f0f90063a21e361d > > > > > > Staging repo: > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077 > > > Source (official release artifact): > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-src.tar.gz > > > Binary: > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-bin.tar.gz > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for > > > a given artifact.) > > > > > > In addition to the tarballs, and their signatures, the following checksum > > > files will be added to the dist/release SVN area after release: > > > accumulo-1.9.3-src.tar.gz.sha512 will contain: > > > SHA512 (accumulo-1.9.3-src.tar.gz) = > > > > > b366b89295b1835038cb242f8ad46b1d8455753a987333f0e15e3d89749540f2cd59db1bc6cf7100fc9050d3d0bc7340a3b661381549d40f2f0223d4120fd809 > > > accumulo-1.9.3-bin.tar.gz.sha512 will contain: > > > SHA512 (accumulo-1.9.3-bin.tar.gz) = > > > > > cc909296d9bbd12e08064fccaf21e81b754c183a8264dfa2575762c76705fd0c580b50c2b224c60feaeec120bd618fba4d6176d0f53e96e1ca9da0d9e2556f1f > > > > > > Signing keys are available at https://www.apache.org/dist/accumulo/KEYS > > > (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > > > > > Release notes (in progress) can be found at: > > > https://accumulo.apache.org/release/accumulo-1.9.3/ > > > > > > Release testing instructions: > > > https://accumulo.apache.org/contributor/verifying-release > > > > > > Please vote one of: > > > [ ] +1 - I have verified and accept... > > > [ ] +0 - I have reservations, but not strong enough to vote against... > > > [ ] -1 - Because..., I do not accept... > > > ... these artifacts as the 1.9.3 release of Apache Accumulo. > > > > > > This vote will remain open until at least Sun Mar 31 00:00:00 UTC 2019. > > > (Sat Mar 30 20:00:00 EDT 2019 / Sat Mar 30 17:00:00 PDT 2019) > > > Voting can continue after this deadline until the release manager > > > sends an email ending the vote. > > > > > > Thanks! > > > > > > P.S. Hint: download the whole staging repo with > > > wget -erobots=off -r -l inf -np -nH \ > > > > > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/ > > > # note the trailing slash is needed > >
