On 24 August 2018 at 14:13, Benedikt Ritter <brit...@apache.org> wrote: > Hi Thomas, > > Am Fr., 24. Aug. 2018 um 13:13 Uhr schrieb Thomas Vandahl <t...@apache.org>: > >> Hi Benedikt, >> >> On 23.08.18 18:25, Benedikt Ritter wrote: >> > Am Do., 23. Aug. 2018 um 09:16 Uhr schrieb Thomas Vandahl <t...@apache.org >> >: >> > >> >> Shall we use this for commons-parent? >> >> >> > >> > Sounds reasonable to me. >> >> If I'm not mistaken, the requirement for SHA-512 checksums only exists >> for the source distribution, not the binaries. At least this is what I >> derive from Hervés implementation in Apache Parent 21. However, the >> plugin configuration only kicks in, if the source release artifact name >> ends with "-source-release.[zip|tar*]" From what I see in the latest >> votes, Apache Commons uses another naming scheme (I do, too). Shall we >> adapt? >> > > What do you mean? Adapt our artifact naming scheme or adapt what Apache > Parent 21 does? Since SHA-512 checksums are required now, we need to find a > way to implement this :-) I'm not sure what's the best way for that right > now. What do others think?
If it really is the case that the Apache Parent POM only creates the checksums for artifacts with a specific name, then IMO it is badly broken and needs a bug report. All artifacts that linked from the page must have sigs and hashes, and these must not be MD5 or SHA1. See: https://www.apache.org/dev/release-distribution#sigs-and-sums Note that it says: "For every artifact distributed to the public through Apache channels, the PMC..." Since we distribute the binaries, they must have SHA256+ > Benedikt > > >> >> Bye, Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org