[ https://issues.apache.org/jira/browse/LUCENE-8493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16625701#comment-16625701 ]
Jan Høydahl commented on LUCENE-8493: ------------------------------------- Also the download pages for Lucene and Solr must be updated with the first release after this change. Going to commit soon if no objections. > Stop publishing .sha1 files with releases > ----------------------------------------- > > Key: LUCENE-8493 > URL: https://issues.apache.org/jira/browse/LUCENE-8493 > Project: Lucene - Core > Issue Type: Task > Components: -tools > Reporter: Jan Høydahl > Priority: Major > Labels: build, release, security, sha1sum > Fix For: 7.6, master (8.0) > > Attachments: LUCENE-8493.patch > > > In LUCENE-7935 we added {{.sha512}} checksums to releases and removed > {{.md5}} files. > According to the Release Distribution Policy > ([http://www.apache.org/dev/release-distribution#sigs-and-sums)]: > {quote}For every artifact distributed to the public through Apache channels, > the PMC > MUST supply a valid OpenPGP-compatible ASCII-armored detached signature file > MUST supply at least one checksum file > SHOULD supply a SHA-256 and/or SHA-512 checksum file > *SHOULD NOT supply a MD5 or SHA-1 checksum file* (because these are > deprecated) > {quote} > So this Jira will stop publishing .sha1 files, leaving only the .sha512 -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org