Sorry, I don't understand what you mean by 'retelling of "checksums of old"'.
On Mon, Apr 1, 2019 at 12:30 PM Josh Elser <[email protected]> wrote: > > I think Mike's point was your VOTE template does not reflect the > retelling of "checksums of old" > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for > a given artifact.) > > On 3/31/19 10:54 PM, Christopher wrote: > > Mike, > > > > We already stopped using md5 and sha1 for the release artifacts on the > > mirrors. I did this some time ago, and we discussed it on list on > > previous vote threads (last year)... which resulted in me changing the > > release candidate build script automated tooling to embed the SHA512 > > sums for the tarballs directly in the release vote message. I even > > went back and updated the downloads page for the previous releases and > > updated the mirrors to be SHA512 only. Because of these steps I took, > > Accumulo was one of the first projects across the entire ASF who were > > 100% compliant immediately after INFRA VP updated the release > > distribution policy you linked. > > > > *This is a resolved action for Accumulo.* > > > > FWIW, SHA512 was also used as the hash algorithm in the GPG signature > > (same as every RC I've ever prepped for ASF). The only remaining md5 > > and sha1 reference are Maven-specific tooling, and we have no control > > over that tooling. We could change the vote template to no longer > > mention them, but I don't see the point since they're still relevant > > within the context of Maven artifact hosting, and that's the context > > in which they are presented in the vote email. > > > > On Sun, Mar 31, 2019 at 1:59 PM Michael Wall <[email protected]> wrote: > >> > >> -1 for the issue with commons config > >> > >> I check the signatures, they are good. We should stop using md5 and sha1 > >> though, see https://www.apache.org/dev/release-distribution#sigs-and-sums. > >> Has anyone looked at moving to sha256 and/org sha512? > >> Successful run of mvn clean verify -Psunny > >> > >> On Sat, Mar 30, 2019 at 11:31 PM Keith Turner <[email protected]> wrote: > >> > >>> I completed a continuous ingest run on a 10 node cluster running > >>> Centos 7. I used the native map. I had to rebuild Accumulo to work > >>> around #1065 inorder to get the verify M/R job to run. > >>> > >>> org.apache.accumulo.test.continuous.ContinuousVerify$Counts > >>> REFERENCED=34417110819 > >>> UNREFERENCED=9097524 > >>> > >>> On Wed, Mar 27, 2019 at 7:57 PM Christopher <[email protected]> wrote: > >>>> > >>>> Accumulo Developers, > >>>> > >>>> Please consider the following candidate for Apache Accumulo 1.9.3. > >>>> > >>>> This supersedes RC1 and contains the following change: > >>>> https://github.com/apache/accumulo/pull/1057 > >>>> > >>>> Git Commit: > >>>> 94f9782242a1f336e176c282f0f90063a21e361d > >>>> Branch: > >>>> 1.9.3-rc2 > >>>> > >>>> If this vote passes, a gpg-signed tag will be created using: > >>>> git tag -f -m 'Apache Accumulo 1.9.3' -s rel/1.9.3 \ > >>>> 94f9782242a1f336e176c282f0f90063a21e361d > >>>> > >>>> Staging repo: > >>> https://repository.apache.org/content/repositories/orgapacheaccumulo-1077 > >>>> Source (official release artifact): > >>>> > >>> https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-src.tar.gz > >>>> Binary: > >>> https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-bin.tar.gz > >>>> (Append ".sha1", ".md5", or ".asc" to download the signature/hash for > >>>> a given artifact.) > >>>> > >>>> In addition to the tarballs, and their signatures, the following checksum > >>>> files will be added to the dist/release SVN area after release: > >>>> accumulo-1.9.3-src.tar.gz.sha512 will contain: > >>>> SHA512 (accumulo-1.9.3-src.tar.gz) = > >>>> > >>> b366b89295b1835038cb242f8ad46b1d8455753a987333f0e15e3d89749540f2cd59db1bc6cf7100fc9050d3d0bc7340a3b661381549d40f2f0223d4120fd809 > >>>> accumulo-1.9.3-bin.tar.gz.sha512 will contain: > >>>> SHA512 (accumulo-1.9.3-bin.tar.gz) = > >>>> > >>> cc909296d9bbd12e08064fccaf21e81b754c183a8264dfa2575762c76705fd0c580b50c2b224c60feaeec120bd618fba4d6176d0f53e96e1ca9da0d9e2556f1f > >>>> > >>>> Signing keys are available at https://www.apache.org/dist/accumulo/KEYS > >>>> (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > >>>> > >>>> Release notes (in progress) can be found at: > >>>> https://accumulo.apache.org/release/accumulo-1.9.3/ > >>>> > >>>> Release testing instructions: > >>>> https://accumulo.apache.org/contributor/verifying-release > >>>> > >>>> Please vote one of: > >>>> [ ] +1 - I have verified and accept... > >>>> [ ] +0 - I have reservations, but not strong enough to vote against... > >>>> [ ] -1 - Because..., I do not accept... > >>>> ... these artifacts as the 1.9.3 release of Apache Accumulo. > >>>> > >>>> This vote will remain open until at least Sun Mar 31 00:00:00 UTC 2019. > >>>> (Sat Mar 30 20:00:00 EDT 2019 / Sat Mar 30 17:00:00 PDT 2019) > >>>> Voting can continue after this deadline until the release manager > >>>> sends an email ending the vote. > >>>> > >>>> Thanks! > >>>> > >>>> P.S. Hint: download the whole staging repo with > >>>> wget -erobots=off -r -l inf -np -nH \ > >>>> > >>> https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/ > >>>> # note the trailing slash is needed > >>>
