One last thing, should the sha512 only be generated on the source-release tarball and zips?
Just want to make sure. Traditionally Apache Felix listed the checksums on the website. But if we don't have the checksums for the artifacts we can't do that anymore unless we generated them manually. - Ray On Thu, Oct 18, 2018 at 4:31 AM Konrad Windszus <konra...@gmx.de> wrote: > > > > On 18. Oct 2018, at 10:26, Bertrand Delacretaz <bdelacre...@apache.org> > wrote: > > > > Note that http://www.apache.org/dev/release-distribution#sigs-and-sums > > now says SHOULD supply sha-512 and SHOULD NOT supply md5. > > Actually it says in another paragraph: > > > For new releases, PMCs MUST supply SHA-256 and/or SHA-512; > > > So this is mandatory to provide for new(!) releases. > > -- *Raymond Augé* <http://www.liferay.com/web/raymond.auge/profile> (@rotty3000) Senior Software Architect *Liferay, Inc.* <http://www.liferay.com> (@Liferay) Board Member & EEG Co-Chair, OSGi Alliance <http://osgi.org> (@OSGiAlliance)
