If I understand this correctly, you are saying the sha1 and md5 are created by nexus? I do recall the discussion about moving to the stronger hashes, so I was surprised to see sha1 and md5 still listed in the VOTE thread.
When verifying a release, I want to verify the signatures are correct and I want to use the asc and sha512 that will show up on the downloads page at https://accumulo.apache.org/downloads/. What about something like "Nexus generates an md5 and sha1 file but those are no longer recommended by Apache for verification of artifacts. For release verification use the 512 signature below" or something. Thanks Christopher. On Mon, Apr 1, 2019 at 10:21 PM Christopher <ctubb...@apache.org> wrote: > Apologies, but I was confused because you said the template was > wrong... but you quoted a portion of the template which was not wrong, > and which I've already explained in my original response to Mike. > > Once again, those are references to files generated by the Maven > tooling, outside our control. Granted, we don't have to mention them > at all. However, the template merely acknowledges their existence. > Providing information for how those files are named still has value in > the Maven context, and is useful for any artifact downloaded from > Maven, not just our tarballs. > > Would there be less confusion over this if the template was a bit more > verbose, saying something like: > (Append ".asc" to download an artifact's corresponding GPG signature, > or ".sha1" or ".md5" to verify the checksums generated by Maven.) > > If you'd prefer this, or an alternative wording, please change it in > the repo... or let me know and I'll change it. > > On Mon, Apr 1, 2019 at 2:22 PM Josh Elser <els...@apache.org> wrote: > > > > Again, like I included earlier: > > > > > (Append ".sha1", ".md5", or ".asc" to download the signature/hash for > > a given artifact.) > > > > On 4/1/19 1:56 PM, Christopher wrote: > > > In what way? > > > > > > On Mon, Apr 1, 2019 at 1:54 PM Josh Elser <els...@apache.org> wrote: > > >> > > >> Your email template is wrong. > > >> > > >> On 4/1/19 1:33 PM, Christopher wrote: > > >>> Sorry, I don't understand what you mean by 'retelling of "checksums > of old"'. > > >>> > > >>> On Mon, Apr 1, 2019 at 12:30 PM Josh Elser <els...@apache.org> > wrote: > > >>>> > > >>>> I think Mike's point was your VOTE template does not reflect the > > >>>> retelling of "checksums of old" > > >>>> > > >>>> > (Append ".sha1", ".md5", or ".asc" to download the > signature/hash for > > >>>> a given artifact.) > > >>>> > > >>>> On 3/31/19 10:54 PM, Christopher wrote: > > >>>>> Mike, > > >>>>> > > >>>>> We already stopped using md5 and sha1 for the release artifacts on > the > > >>>>> mirrors. I did this some time ago, and we discussed it on list on > > >>>>> previous vote threads (last year)... which resulted in me changing > the > > >>>>> release candidate build script automated tooling to embed the > SHA512 > > >>>>> sums for the tarballs directly in the release vote message. I even > > >>>>> went back and updated the downloads page for the previous releases > and > > >>>>> updated the mirrors to be SHA512 only. Because of these steps I > took, > > >>>>> Accumulo was one of the first projects across the entire ASF who > were > > >>>>> 100% compliant immediately after INFRA VP updated the release > > >>>>> distribution policy you linked. > > >>>>> > > >>>>> *This is a resolved action for Accumulo.* > > >>>>> > > >>>>> FWIW, SHA512 was also used as the hash algorithm in the GPG > signature > > >>>>> (same as every RC I've ever prepped for ASF). The only remaining > md5 > > >>>>> and sha1 reference are Maven-specific tooling, and we have no > control > > >>>>> over that tooling. We could change the vote template to no longer > > >>>>> mention them, but I don't see the point since they're still > relevant > > >>>>> within the context of Maven artifact hosting, and that's the > context > > >>>>> in which they are presented in the vote email. > > >>>>> > > >>>>> On Sun, Mar 31, 2019 at 1:59 PM Michael Wall <mjw...@gmail.com> > wrote: > > >>>>>> > > >>>>>> -1 for the issue with commons config > > >>>>>> > > >>>>>> I check the signatures, they are good. We should stop using md5 > and sha1 > > >>>>>> though, see > https://www.apache.org/dev/release-distribution#sigs-and-sums. > > >>>>>> Has anyone looked at moving to sha256 and/org sha512? > > >>>>>> Successful run of mvn clean verify -Psunny > > >>>>>> > > >>>>>> On Sat, Mar 30, 2019 at 11:31 PM Keith Turner <ke...@deenlo.com> > wrote: > > >>>>>> > > >>>>>>> I completed a continuous ingest run on a 10 node cluster running > > >>>>>>> Centos 7. I used the native map. I had to rebuild Accumulo to > work > > >>>>>>> around #1065 inorder to get the verify M/R job to run. > > >>>>>>> > > >>>>>>> > org.apache.accumulo.test.continuous.ContinuousVerify$Counts > > >>>>>>> REFERENCED=34417110819 > > >>>>>>> UNREFERENCED=9097524 > > >>>>>>> > > >>>>>>> On Wed, Mar 27, 2019 at 7:57 PM Christopher <ctubb...@apache.org> > wrote: > > >>>>>>>> > > >>>>>>>> Accumulo Developers, > > >>>>>>>> > > >>>>>>>> Please consider the following candidate for Apache Accumulo > 1.9.3. > > >>>>>>>> > > >>>>>>>> This supersedes RC1 and contains the following change: > > >>>>>>>> https://github.com/apache/accumulo/pull/1057 > > >>>>>>>> > > >>>>>>>> Git Commit: > > >>>>>>>> 94f9782242a1f336e176c282f0f90063a21e361d > > >>>>>>>> Branch: > > >>>>>>>> 1.9.3-rc2 > > >>>>>>>> > > >>>>>>>> If this vote passes, a gpg-signed tag will be created using: > > >>>>>>>> git tag -f -m 'Apache Accumulo 1.9.3' -s rel/1.9.3 \ > > >>>>>>>> 94f9782242a1f336e176c282f0f90063a21e361d > > >>>>>>>> > > >>>>>>>> Staging repo: > > >>>>>>> > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077 > > >>>>>>>> Source (official release artifact): > > >>>>>>>> > > >>>>>>> > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-src.tar.gz > > >>>>>>>> Binary: > > >>>>>>> > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/org/apache/accumulo/accumulo/1.9.3/accumulo-1.9.3-bin.tar.gz > > >>>>>>>> (Append ".sha1", ".md5", or ".asc" to download the > signature/hash for > > >>>>>>>> a given artifact.) > > >>>>>>>> > > >>>>>>>> In addition to the tarballs, and their signatures, the > following checksum > > >>>>>>>> files will be added to the dist/release SVN area after release: > > >>>>>>>> accumulo-1.9.3-src.tar.gz.sha512 will contain: > > >>>>>>>> SHA512 (accumulo-1.9.3-src.tar.gz) = > > >>>>>>>> > > >>>>>>> > b366b89295b1835038cb242f8ad46b1d8455753a987333f0e15e3d89749540f2cd59db1bc6cf7100fc9050d3d0bc7340a3b661381549d40f2f0223d4120fd809 > > >>>>>>>> accumulo-1.9.3-bin.tar.gz.sha512 will contain: > > >>>>>>>> SHA512 (accumulo-1.9.3-bin.tar.gz) = > > >>>>>>>> > > >>>>>>> > cc909296d9bbd12e08064fccaf21e81b754c183a8264dfa2575762c76705fd0c580b50c2b224c60feaeec120bd618fba4d6176d0f53e96e1ca9da0d9e2556f1f > > >>>>>>>> > > >>>>>>>> Signing keys are available at > https://www.apache.org/dist/accumulo/KEYS > > >>>>>>>> (Expected fingerprint: 8CC4F8A2B29C2B040F2B835D6F0CDAE700B6899D) > > >>>>>>>> > > >>>>>>>> Release notes (in progress) can be found at: > > >>>>>>>> https://accumulo.apache.org/release/accumulo-1.9.3/ > > >>>>>>>> > > >>>>>>>> Release testing instructions: > > >>>>>>>> https://accumulo.apache.org/contributor/verifying-release > > >>>>>>>> > > >>>>>>>> Please vote one of: > > >>>>>>>> [ ] +1 - I have verified and accept... > > >>>>>>>> [ ] +0 - I have reservations, but not strong enough to vote > against... > > >>>>>>>> [ ] -1 - Because..., I do not accept... > > >>>>>>>> ... these artifacts as the 1.9.3 release of Apache Accumulo. > > >>>>>>>> > > >>>>>>>> This vote will remain open until at least Sun Mar 31 00:00:00 > UTC 2019. > > >>>>>>>> (Sat Mar 30 20:00:00 EDT 2019 / Sat Mar 30 17:00:00 PDT 2019) > > >>>>>>>> Voting can continue after this deadline until the release > manager > > >>>>>>>> sends an email ending the vote. > > >>>>>>>> > > >>>>>>>> Thanks! > > >>>>>>>> > > >>>>>>>> P.S. Hint: download the whole staging repo with > > >>>>>>>> wget -erobots=off -r -l inf -np -nH \ > > >>>>>>>> > > >>>>>>> > https://repository.apache.org/content/repositories/orgapacheaccumulo-1077/ > > >>>>>>>> # note the trailing slash is needed > > >>>>>>> >
