Cos, Regarding the release artifacts:
Is it possible to publish a KEYS file, containing the public part of the sign key? BTW, This is already documented here: http://www.apache.org/dyn/closer.lua/bigtop/bigtop-1.0.0/ Olaf > Am 10.10.2015 um 20:44 schrieb Konstantin Boudnik <c...@apache.org>: > > No, I was more after our own release signing practices. And me as the RM for > the last is to blame to not raising this earlier. We're still using md5 and > sha1 to sign our releases. And I am proposing to switch to sha512, starting > from 1.1 and on. > > Cos > > On Sat, Oct 10, 2015 at 08:23PM, Olaf Flebbe wrote: >> Hi Cos, >> >> What signatures are targeting specifically ? >> >> org.apache.hadoop.io.MD5Hash and its usage? >> >> or >> >> something like >> >> bigtop-packages/src/deb/hama/rules: dh_md5sums >> bigtop-packages/src/common/pig/do-component-build: echo >> "ea58a078e3861d4dfc8bf3296a53a5f8 apache-forrest-0.9.tar.gz" >> >apache-forrest-0.9.tar.md5 >> bigtop-packages/src/common/pig/do-component-build: if ! md5sum -c --quiet >> apache-forrest-0.9.tar.md5 ; then >> >> or ??? >> >> Olaf >> >>> Am 09.10.2015 um 23:02 schrieb Konstantin Boudnik <c...@apache.org>: >>> >>> Guys, >>> >>> We had to get rid of md5 sum long time ago, but it seems that sha1 is >>> hitting >>> the wall as well. Here's the good description of the problem: >>> https://sites.google.com/site/itstheshappening/ >>> >>> I'd suggest to scrape both of them in the next release. Any objections? >>> >>> Cos >>> >> > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
