TLDR; The release distribution checksum policy requires new releases to use SHA-512 or SHA-256 and not SHA-1 for verification. Existing releases do not need to be changed. Releases still need to be signed via detached PGP signatures.
---------- Forwarded message --------- From: Craig Russell <[email protected]> Date: Mon, Aug 13, 2018 at 4:46 PM Subject: New release distribution checksum policy To: Apache Members <[email protected]> TLDR; The release distribution checksum policy requires new releases to use SHA-512 or SHA-256 and not SHA-1 for verification. Existing releases do not need to be changed. Releases still need to be signed via detached PGP signatures. Details: Recently, a successful penetration of SHA-1 was verified, and SHA-1 is no longer considered safe for crypto hashes https://www.pcworld.com/article/3173791/security/stop-using-sha1-it-s-now-completely-unsafe.html [1] http://www.apache.org/legal/release-policy.html#release-announcements [2] https://www.apache.org/dev/release-distribution#download-links [3] https://www.apache.org/dev/release-distribution#sigs-and-sums Announcements of Apache project releases must contain a link to the relevant download page, which might be hosted on an Apache site or a third party site such as github.com. [1] All official releases must be uploaded to the official distribution channel, www.apache.org/dist. The download page must provide public download links where current official source releases and accompanying cryptographic files may be obtained. [2] The policy on release distribution has been changed to require SHA-512 or SHA-256 and disallow new artifacts to use SHA-1. [3] Links to the download artifacts must support downloads from mirrors, e.g. via links to dyn/closer. Links to metadata (SHA, ASC) must be from https://www.apache.org/dist/<project>/<release> and specifically not from dist.apache.org/repos/dist MD5 is no longer considered useful and should not be used. SHA is required. Similarly, SHA-1 is no longer considered useful and should not be used. SHA-512 (preferred) or SHA-256 are required for new releases. Older releases need not be updated, may continue unchanged, and might use MD5 or SHA-1. Links to KEYS must be from https://www.apache.org/dist/<project>/ not release specific. Announcements that contain a link to the dyn/closer page alone will be rejected by the moderators. Announcements that contain a link to a web page that does not include a link to a mirror to the artifact plus links to the signature and at least one sha checksum will be rejected. Craig L Russell Secretary, Apache Software Foundation [email protected] http://db.apache.org/jdo
