Do guidelines on which algorithm to use for GPG signing need to be added? On 5 March 2018 at 13:18, Gilles <gil...@harfang.homelinux.org> wrote:
> On Mon, 5 Mar 2018 11:35:27 -0500, Rob Tompkins wrote: > >> The plugin only finds the assemblies, and the .asc files. We’ve been >> using the created signatures from nexus. So, I actually am creating >> the same signature files in the plugin. So, we have some leeway in >> deciding what sorts of signatures we want to upload to the “dist” svn >> repo. >> > > For this, we should (IIUC): > * not use MD5 > * use SHA-512 > > Does the plugin create those checksum files for the "full dist" > archive files for a multi-module maven project? > > Gilles > > [...] >> >>> >>>>> Old policy : >>>>> >>>>> -- MUST provide a MD5-file >>>>> -- SHOULD provide a SHA-file [SHA-512 recommended] >>>>> >>>>> New policy : >>>>> >>>>> -- MUST provide a SHA- or MD5-file >>>>> -- SHOULD provide a SHA-file >>>>> -- SHOULD NOT provide a MD5-file >>>>> >>>>> [...] >>>>> >>>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Matt Sicker <boa...@gmail.com>