Surely the plugin should upload whatever it finds? Or does the plugin create the hashes as well?
On 5 March 2018 at 15:51, Rob Tompkins <chtom...@gmail.com> wrote: > The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull that > back in leu of adding sha512 and removing sha1, md5? I haven’t promoted the > RC yet. > > -Rob > >> On Mar 5, 2018, at 10:27 AM, Gary Gregory <garydgreg...@gmail.com> wrote: >> >> Rob: How does this affect your release plugin? >> >> Gary >> ---------- Forwarded message ---------- >> From: Henk P. Penning <penn...@uu.nl <mailto:penn...@uu.nl>> >> Date: Mon, Mar 5, 2018 at 4:18 AM >> Subject: checksum file Release Distribution Policy >> To: he...@apache.org <mailto:he...@apache.org> >> >> >> Hi Pmcs, >> >> The Release Distribution Policy[1] changed regarding checksum files. >> See under "Cryptographic Signatures and Checksums Requirements" [2]. >> >> MD5-file == a .md5 file >> SHA-file == a .sha1, sha256 or .sha512 file >> >> Old policy : >> >> -- MUST provide a MD5-file >> -- SHOULD provide a SHA-file [SHA-512 recommended] >> >> New policy : >> >> -- MUST provide a SHA- or MD5-file >> -- SHOULD provide a SHA-file >> -- SHOULD NOT provide a MD5-file >> >> Providing MD5 checksum files is now discouraged for new releases, >> but still allowed for past releases. >> >> Why this change : >> >> -- MD5 is broken for many purposes ; we should move away from it. >> https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues >> >> Impact for PMCs : >> >> -- for new releases : >> -- please do provide a SHA-file (one or more, if you like) >> -- do NOT provide a MD5-file >> >> -- for past releases : >> -- you are not required to change anything >> -- for artifacts accompanied by a SHA-file /and/ a MD5-file, >> it would be nice if you removed the MD5-file >> >> -- if, at the moment, you provide MD5-files, >> please adjust your release tooling. >> >> Please mail me (he...@apache.org) if you have any questions etc. >> >> FYI : >> >> Many projects are not (entirely, strictly) checksum file compliant. >> For an overview/inventory (by project) see : >> >> https://checker.apache.org/dist/unsummed.html >> >> At the moment : >> >> -- no checksum : 176 packages in 28 projects ; non-compliant >> -- only MD5 : 495 packages in 44 projects ; update tooling >> -- only SHA : 135 packages in 13 projects ; now comliant >> >> In many cases, only a few (among many) checksum file are missing ; >> you may want to fix that. >> >> [1] http://www.apache.org/dev/release-distribution >> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums >> >> Thanks, groeten, >> >> Henk Penning -- apache.org infrastructure ; dist & mirrors. >> >> ------------------------------------------------------------ _ >> Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ >> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ >> Leuvenlaan 4, 3584CE Utrecht, NL >> <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g >> >> <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>> >> F +31 30 253 4553 \_/ \_/ >> http://www.staff.science.uu.nl/~penni101/ >> <http://www.staff.science.uu.nl/~penni101/> M penn...@uu.nl >> <mailto:penn...@uu.nl> \_/ > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
