It's required by the Apache Release process:
http://www.apache.org/dev/release-distribution
<http://www.apache.org/dev/release-distribution>
For every artifact distributed to the public through Apache channels, the PMC
• MUST supply a valid OpenPGP-compatible ASCII-armored detached
signature file
• MUST supply at least one checksum file
• SHOULD supply a SHA-256 and/or SHA-512 checksum file
• SHOULD NOT supply a MD5 or SHA-1 checksum file (because these are
deprecated)
For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT
supply MD5 or SHA-1. Existing releases do not need to be changed.
> On Oct 9, 2019, at 6:50 PM, Andor Molnar <[email protected]> wrote:
>
> Checking.
> Why do we generated SHA512 sums for the gpg signatures?
> Is that intentional?
>
> Andor
>
>
>
>> On 2019. Oct 8., at 22:36, Enrico Olivelli <[email protected]> wrote:
>>
>> This is a bugfix release candidate for 3.5.6.
>>
>> It fixes 29 issues, including upgrade of third party libraries,
>> TTL Node APIs for C API, support for PCKS12 Keystores, upgrade of Netty 4
>> and better procedure for the upgrade of servers from 3.4 to 3.5.
>>
>> The full release notes is available at:
>>
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12345243
>>
>> *** Please download, test and vote by October 11th 2019, 23:59 UTC+0. ***
>>
>> Source files:
>> https://people.apache.org/~eolivelli/zookeeper-3.5.6-candidate-4
>>
>> Maven staging repo:
>> https://repository.apache.org/content/repositories/orgapachezookeeper-1044
>>
>> The release candidate tag in git to be voted upon: release-3.5.6-rc4
>> https://github.com/apache/zookeeper/tree/release-3.5.6-rc4
>>
>> ZooKeeper's KEYS file containing PGP keys we use to sign the release:
>> https://www.apache.org/dist/zookeeper/KEYS
>>
>> Should we release this candidate?
>>
>> Enrico Olivelli
>
