Hi Christopher: Thanks for your involvement. Apache Maven is one of many projects at the Apache Software Foundation. Each project has its own mailing lists. So your discussion should probably go to [email protected], which I’ve cc’d on this response. If you’re not subscribed to that list, you probably should do that as well - check the Apache Maven web site (http://maven.apache.org) for more info.
Thanks again, Greg Trasuk > On May 18, 2016, at 1:45 PM, Christopher <[email protected]> wrote: > > Hi all, > > I'm not sure a better list to get feedback on, but I wanted to bring > attention to the proposal here: > https://issues.apache.org/jira/browse/MPOM-118 > > Essentially this is a suggestion to configure the maven-gpg-plugin to sign > using SHA512 as its digest algorithm in the ASF Parent POM, used by many > Maven/Java-based projects within ASF. This configuration takes affect > during software releases when this plugin is activated (typically prior to > a release candidate vote, and staging a release in Nexus for distribution > to Maven Central). > > This would only affect the hash algorithm used to generate GPG signatures > for releases, and not any separate SHA/MD hashes published separately by > any project, which can be weaker (SHA1, MD5) for convenience, and don't > convey the strong authenticity statement that digital signatures provide. > > For background, gpg uses SHA1 by default, unless the signing key or gpg > configuration has a preference to use another algorithm (as described on > https://www.apache.org/dev/openpgp). > > This proposed configuration change wouldn't force the use of SHA512 (it > could still be overridden by a project), but it would make it the default, > which helps improve the security of releases in the case where release > managers have failed to keep their configuration up-to-date with the best > recommendations for using gpg. > > Thoughts? +1s? Discuss here or on the JIRA please. > > Thank you.
