[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums

Tue, 06 Oct 2020 01:07:16 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208551#comment-17208551
 ] 

Bertrand Delacretaz commented on SLING-7534:
--------------------------------------------

Thank you [~michael-o] for this and especially for the clarifications on how 
Maven and Nexus handle these things.

With this additional info I think the key elements are:
 * As per [https://infra.apache.org/release-distribution#sigs-and-sums], our 
Apache Releases _must supply SHA-256 and/or SHA-512 and should not supply MD5 
or SHA-1_.
 * On the Maven side of things, hashes are only used for file integrity checks, 
so not as critical considering that people should validate the file signatures 
anyway if they care about authenticity.

So I think we can "just" adapt our [release 
process|https://sling.apache.org/documentation/development/release-management.html]
 and tools so that SHA-256 or SHA-512 hashes are added to whatever we upload to 
[https://dist.apache.org|https://dist.apache.org/] and we'll be good.

As per INFRA-14923, Nexus will not generate those hashes but we do need them in 
the staging repositories that we deploy to 
[https://repository.apache.org|https://repository.apache.org/] - so based on 
Michael's explanations I suppose including them in the artifacts that are 
copied by {{maven-install-plugin}} should work.

Building the {{sling-org-apache-sling-api}} module (as an example) with the 
{{apache-release}} Maven profile active does generate an 
*{{source-release.zip.sha512}} hash, but it's not installed in the local 
repository - that might be the only thing we need to fix?

> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -------------------------------------------------------------------------
>
>                 Key: SLING-7534
>                 URL: https://issues.apache.org/jira/browse/SLING-7534
>             Project: Sling
>          Issue Type: Task
>          Components: Tooling
>            Reporter: Robert Munteanu
>            Assignee: Konrad Windszus
>            Priority: Major
>             Fix For: Parent 40
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to