On Mon, Jul 20, 2015 at 10:33 AM, Owen O'Malley <omal...@apache.org> wrote:
> On Sat, Jul 18, 2015 at 12:43 AM, Henry Saputra <henry.sapu...@gmail.com>
> wrote:
>
>> (NOTE next time probably use sha512)
>
>
> I'd like to second the request for using sha512 and not including md5.
The requirements for sums and signatures are covered in the Release
Distribution Policy, established a few months ago and curated by VP
Infrastructure:
http://www.apache.org/dev/release-distribution#sigs-and-sums
Every artifact distributed to the public through Apache channels MUST be
accompanied by one file containing an OpenPGP compatible ASCII armored
detached signature and another file containing an MD5 checksum. The names
of these files MUST be formed by adding to the name of the artifact the
following suffixes:
* the signature by suffixing .asc
* the checksum by suffixing .md5
An SHA checksum SHOULD also be created and MUST be suffixed .sha. The
checksum SHOULD be generated using SHA512.
If anyone wishes to suggest changes to the policy, the proper venue is the
public list infrastructure-dev@apache.
Please note that that the establishment of the Release Distribution Policy
merely codified long-standing policies which had been documented in various
places -- nothing has changed in many years.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
