> On Mar 5, 2018, at 11:52 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > >> On Mon, Mar 5, 2018 at 8:51 AM, Rob Tompkins <chtom...@gmail.com> wrote: >> >> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull >> that back in leu of adding sha512 and removing sha1, md5? I haven’t >> promoted the RC yet. >> > > I would move the release along, then consider how do implement with the new > policy in a subsequent release.
Yup. That’s the direction I was leaning. > > Gary > > >> >> -Rob >> >>> On Mar 5, 2018, at 10:27 AM, Gary Gregory <garydgreg...@gmail.com> >> wrote: >>> >>> Rob: How does this affect your release plugin? >>> >>> Gary >>> ---------- Forwarded message ---------- >>> From: Henk P. Penning <penn...@uu.nl <mailto:penn...@uu.nl>> >>> Date: Mon, Mar 5, 2018 at 4:18 AM >>> Subject: checksum file Release Distribution Policy >>> To: he...@apache.org <mailto:he...@apache.org> >>> >>> >>> Hi Pmcs, >>> >>> The Release Distribution Policy[1] changed regarding checksum files. >>> See under "Cryptographic Signatures and Checksums Requirements" [2]. >>> >>> MD5-file == a .md5 file >>> SHA-file == a .sha1, sha256 or .sha512 file >>> >>> Old policy : >>> >>> -- MUST provide a MD5-file >>> -- SHOULD provide a SHA-file [SHA-512 recommended] >>> >>> New policy : >>> >>> -- MUST provide a SHA- or MD5-file >>> -- SHOULD provide a SHA-file >>> -- SHOULD NOT provide a MD5-file >>> >>> Providing MD5 checksum files is now discouraged for new releases, >>> but still allowed for past releases. >>> >>> Why this change : >>> >>> -- MD5 is broken for many purposes ; we should move away from it. >>> https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues >>> >>> Impact for PMCs : >>> >>> -- for new releases : >>> -- please do provide a SHA-file (one or more, if you like) >>> -- do NOT provide a MD5-file >>> >>> -- for past releases : >>> -- you are not required to change anything >>> -- for artifacts accompanied by a SHA-file /and/ a MD5-file, >>> it would be nice if you removed the MD5-file >>> >>> -- if, at the moment, you provide MD5-files, >>> please adjust your release tooling. >>> >>> Please mail me (he...@apache.org) if you have any questions etc. >>> >>> FYI : >>> >>> Many projects are not (entirely, strictly) checksum file compliant. >>> For an overview/inventory (by project) see : >>> >>> https://checker.apache.org/dist/unsummed.html >>> >>> At the moment : >>> >>> -- no checksum : 176 packages in 28 projects ; non-compliant >>> -- only MD5 : 495 packages in 44 projects ; update tooling >>> -- only SHA : 135 packages in 13 projects ; now comliant >>> >>> In many cases, only a few (among many) checksum file are missing ; >>> you may want to fix that. >>> >>> [1] http://www.apache.org/dev/release-distribution >>> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums >>> >>> Thanks, groeten, >>> >>> Henk Penning -- apache.org infrastructure ; dist & mirrors. >>> >>> ------------------------------------------------------------ _ >>> Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ >>> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ >>> Leuvenlaan 4, 3584CE Utrecht, NL >>> <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+ >> NL&entry=gmail&source=g <https://maps.google.com/?q= >> Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>> >>> F +31 30 253 4553 \_/ \_/ >>> http://www.staff.science.uu.nl/~penni101/ <http://www.staff.science.uu. >> nl/~penni101/> M penn...@uu.nl <mailto:penn...@uu.nl> \_/ >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org