michael-o commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-831516482
> > > > ASF releases are solely distributed through dist.apache.org > > Not in all Apache projects, look at https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.api/2.9.0/ or https://repo1.maven.org/maven2/org/apache/felix/org.apache.felix.scr/2.1.8/. Maven Central has the source-release artifacts as well. They must comply with: https://infra.apache.org/release-distribution.html. They can provide more if they like, but not less than that. > > Generating checksums on the fly for remote repos is done by Maven Resolver > > Only MD5 and SHA1. SHA512 has been explicitly disabled for performance reasons (https://issues.apache.org/jira/browse/MRESOLVER-140) What holds you off to enable this? > > Uploading checksums for a subset of items makes no sense > > ASF policy enforces that only for those releases (https://infra.apache.org/release-distribution.html#sigs-and-sums). For the binaries it is never checked (because as you said, Maven will only use MD5/SHA1 to detect transport corruption) and ASF doesn't care about the binaries anyhow. ASF never provides binary. The only official release is a source tarball/zip. Binaries are courtesy. So if you want to point someone to an Apache release, point to downloads.apache.org. That's it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org