On Mon, Jul 20, 2015 at 10:33 AM, Owen O'Malley <omal...@apache.org> wrote: > On Sat, Jul 18, 2015 at 12:43 AM, Henry Saputra <henry.sapu...@gmail.com> > wrote: > >> (NOTE next time probably use sha512) > > > I'd like to second the request for using sha512 and not including md5.
The requirements for sums and signatures are covered in the Release Distribution Policy, established a few months ago and curated by VP Infrastructure: http://www.apache.org/dev/release-distribution#sigs-and-sums Every artifact distributed to the public through Apache channels MUST be accompanied by one file containing an OpenPGP compatible ASCII armored detached signature and another file containing an MD5 checksum. The names of these files MUST be formed by adding to the name of the artifact the following suffixes: * the signature by suffixing .asc * the checksum by suffixing .md5 An SHA checksum SHOULD also be created and MUST be suffixed .sha. The checksum SHOULD be generated using SHA512. If anyone wishes to suggest changes to the policy, the proper venue is the public list infrastructure-dev@apache. Please note that that the establishment of the Release Distribution Policy merely codified long-standing policies which had been documented in various places -- nothing has changed in many years. Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org