kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-831482941
> ASF releases are solely distributed through dist.apache.org Not in all Apache projects, look at https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.api/2.9.0/ or https://repo1.maven.org/maven2/org/apache/felix/org.apache.felix.scr/2.1.8/. Maven Central has the source-release artifacts as well. > Generating checksums on the fly for remote repos is done by Maven Resolver Only MD5 and SHA1, SHA512 has been explicitly disabled for performance reasons (https://issues.apache.org/jira/browse/MRESOLVER-140) > Uploading checksums for a subset of items makes no sense ASF policy enforces that only for those releases. For the binaries it is never checked (because as you said, Maven will only use MD5/SHA1 to detect transport corruption) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org