I've made "mvn clean install" with enabled "apache-release" profile and see *.sha-512 checksum files in target directories. So, upgrading to the latest apache parent looks sufficient.
On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <[email protected]> wrote: > Is seems that parent is already updated in > https://issues.apache.org/jira/browse/IGNITE-13987 < > https://issues.apache.org/jira/browse/IGNITE-13987> > > > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko < > [email protected]> wrote: > > > > Andrey, > > > > This sounds even better. Can you create a ticket for this change? > > > > -Val > > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov < > [email protected]> > > wrote: > > > >> Val, > >> > >> I've just found Maven projects use SHA-512. > >> I passed through commits and found they just switched to newer parent > >> org.apache:apache pom. > >> I've compared our current parent pom with the latest available one > >> (org.apache:apache:16 vs org.apache:apache:23) > >> and then found checksum-maven-plugin was added [1] somewhen in between. > >> > >> So, seems we have to switched to newer apache pom and maybe add > >> checksum-maven-plugin > >> to our main pom. > >> > >> [1] > >> > >> > https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a > >> > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < > >> [email protected]> wrote: > >> > >>> Hi Andrey, > >>> > >>> This indeed sounds like the cleanest way. I don't know how much effort > >> that > >>> would be though. > >>> > >>> -Val > >>> > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < > >>> [email protected]> wrote: > >>> > >>>> Maybe, we could donate to maven plugin possibility to switch to > >> SHA-512. > >>>> Hopefully, a new plugin version will be released before we have any > >>> release > >>>> candidate. > >>>> > >>>> Is it looks like a big deal? > >>>> > >>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < > >>>> [email protected]>: > >>>> > >>>>> Hi Ivan, > >>>>> > >>>>> No, I haven't found a way yet. SHA1 still works, but I believe we > >>> should > >>>>> consider using better options in future releases. > >>>>> > >>>>> Do you have any ideas on how to implement this? > >>>>> > >>>>> -Val > >>>>> > >>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <[email protected]> > >>>>> wrote: > >>>>> > >>>>>> Folks, > >>>>>> > >>>>>> Were you able to resolve this? > >>>>>> > >>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < > >>>>>> [email protected]>: > >>>>>>> Hi Ivan, > >>>>>>> > >>>>>>> Thanks for your response. I've looked into the PGP plugin, and > >>>>>>> unfortunately it looks like it only can create signatures, but > >> not > >>>>>>> checksums. > >>>>>>> > >>>>>>> -Val > >>>>>>> > >>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < > >>>> [email protected]> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> I've never done this before, but it seems like we need > >>>>> maven-gpg-plugin > >>>>>>>> for > >>>>>>>> it [1]. > >>>>>>>> > >>>>>>>> Algorithm configuration would look like this: > >>>>>>>> <gpgArguments> > >>>>>>>> <arg>--digest-algo=SHA512</arg> > >>>>>>>> </gpgArguments> > >>>>>>>> > >>>>>>>> Maybe this will help. > >>>>>>>> > >>>>>>>> [1] > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html > >>>>>>>> > >>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < > >>>>>>>> [email protected]>: > >>>>>>>> > >>>>>>>>> Igniters, > >>>>>>>>> > >>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got confused > >>>> about > >>>>>> the > >>>>>>>>> requirements for checksums in Maven deployments. The Apache > >>>>>> instruction > >>>>>>>> [1] > >>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in > >>> favor > >>>> of > >>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still using > >>> the > >>>>>>>> MD5/SHA1 > >>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] > >>>>> contains). > >>>>>>>>> > >>>>>>>>> On top of that, I can't find an easy way to switch to another > >>>>> checksum > >>>>>>>>> - > >>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files > >> automatically > >>>> and > >>>>>>>>> doesn't seem to have any options to tweak this behavior. > >>>>>>>>> > >>>>>>>>> That said, I have two questions: > >>>>>>>>> > >>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for now? > >>>>>>>>> 2. Is there a painless way to include SHA512 in addition to > >>>>>>>>> MD5/SHA1? > >>>>>>>>> > >>>>>>>>> Can anyone shed some light on this? > >>>>>>>>> > >>>>>>>>> [1] https://infra.apache.org/release-signing.html#basic-facts > >>>>>>>>> [2] > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ > >>>>>>>>> [3] > >>>>>>>> > >>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html > >>>>>>>>> > >>>>>>>>> -Val > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Sincerely yours, > >>>>>>>> Ivan Bessonov > >>>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> Best regards, > >>>>>> Ivan Pavlukhin > >>>>>> > >>>>> > >>>> > >>> > >> > >> > >> -- > >> Best regards, > >> Andrey V. Mashenkov > >> > > -- Best regards, Andrey V. Mashenkov
