Is seems that parent is already updated in https://issues.apache.org/jira/browse/IGNITE-13987 <https://issues.apache.org/jira/browse/IGNITE-13987>
> On 14 Jan 2021, at 01:57, Valentin Kulichenko <valentin.kuliche...@gmail.com> > wrote: > > Andrey, > > This sounds even better. Can you create a ticket for this change? > > -Val > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <andrey.mashen...@gmail.com> > wrote: > >> Val, >> >> I've just found Maven projects use SHA-512. >> I passed through commits and found they just switched to newer parent >> org.apache:apache pom. >> I've compared our current parent pom with the latest available one >> (org.apache:apache:16 vs org.apache:apache:23) >> and then found checksum-maven-plugin was added [1] somewhen in between. >> >> So, seems we have to switched to newer apache pom and maybe add >> checksum-maven-plugin >> to our main pom. >> >> [1] >> >> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a >> >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < >> valentin.kuliche...@gmail.com> wrote: >> >>> Hi Andrey, >>> >>> This indeed sounds like the cleanest way. I don't know how much effort >> that >>> would be though. >>> >>> -Val >>> >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < >>> andrey.mashen...@gmail.com> wrote: >>> >>>> Maybe, we could donate to maven plugin possibility to switch to >> SHA-512. >>>> Hopefully, a new plugin version will be released before we have any >>> release >>>> candidate. >>>> >>>> Is it looks like a big deal? >>>> >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < >>>> valentin.kuliche...@gmail.com>: >>>> >>>>> Hi Ivan, >>>>> >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we >>> should >>>>> consider using better options in future releases. >>>>> >>>>> Do you have any ideas on how to implement this? >>>>> >>>>> -Val >>>>> >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <vololo...@gmail.com> >>>>> wrote: >>>>> >>>>>> Folks, >>>>>> >>>>>> Were you able to resolve this? >>>>>> >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < >>>>>> valentin.kuliche...@gmail.com>: >>>>>>> Hi Ivan, >>>>>>> >>>>>>> Thanks for your response. I've looked into the PGP plugin, and >>>>>>> unfortunately it looks like it only can create signatures, but >> not >>>>>>> checksums. >>>>>>> >>>>>>> -Val >>>>>>> >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < >>>> bessonov...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I've never done this before, but it seems like we need >>>>> maven-gpg-plugin >>>>>>>> for >>>>>>>> it [1]. >>>>>>>> >>>>>>>> Algorithm configuration would look like this: >>>>>>>> <gpgArguments> >>>>>>>> <arg>--digest-algo=SHA512</arg> >>>>>>>> </gpgArguments> >>>>>>>> >>>>>>>> Maybe this will help. >>>>>>>> >>>>>>>> [1] >>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >>> >> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html >>>>>>>> >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < >>>>>>>> valentin.kuliche...@gmail.com>: >>>>>>>> >>>>>>>>> Igniters, >>>>>>>>> >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused >>>> about >>>>>> the >>>>>>>>> requirements for checksums in Maven deployments. The Apache >>>>>> instruction >>>>>>>> [1] >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in >>> favor >>>> of >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using >>> the >>>>>>>> MD5/SHA1 >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] >>>>> contains). >>>>>>>>> >>>>>>>>> On top of that, I can't find an easy way to switch to another >>>>> checksum >>>>>>>>> - >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files >> automatically >>>> and >>>>>>>>> doesn't seem to have any options to tweak this behavior. >>>>>>>>> >>>>>>>>> That said, I have two questions: >>>>>>>>> >>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? >>>>>>>>> 2. Is there a painless way to include SHA512 in addition to >>>>>>>>> MD5/SHA1? >>>>>>>>> >>>>>>>>> Can anyone shed some light on this? >>>>>>>>> >>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts >>>>>>>>> [2] >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>>> >>>> >>> >> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ >>>>>>>>> [3] >>>>>>>> >>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html >>>>>>>>> >>>>>>>>> -Val >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sincerely yours, >>>>>>>> Ivan Bessonov >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Best regards, >>>>>> Ivan Pavlukhin >>>>>> >>>>> >>>> >>> >> >> >> -- >> Best regards, >> Andrey V. Mashenkov >>
