[
https://issues.apache.org/jira/browse/MPOM-282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470375#comment-17470375
]
Herve Boutemy edited comment on MPOM-282 at 1/7/22, 7:05 AM:
-------------------------------------------------------------
bq. Hm, after rereading original issue: "the created SHA512 which is used for
the distribution area" – is it maybe us misinterpreting this?
+1
there are 2 separate needs that are constantly conflated.
I'll show 1 concrete example = the binary distribution of Maven 3.8.4
apache-maven-3.8.4-bin.zip :
- there is the sha512 file from Apache distribution area ("Apache distribution
area" is ASF specific, obviously):
https://archive.apache.org/dist/maven/maven-3/3.8.4/binaries/
- there is (eventually) the sha512 from Maven Central repository:
https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/ :
you'll see we even did not publish sha512 here (because Maven core does not use
the shared ASF parent POM)
let's look at maven wagon wagon-3.5.1-source-release.zip, that uses (like most
of our Maven releases) the ASF parent POM for that source-release part:
- Apache distribution area ("Apache distribution area" is ASF specific,
obviously): https://archive.apache.org/dist/maven/wagon/
- Maven Central repository:
https://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/3.5.1/
Apache distribution area is free form of Apache Software Foundation, governed
by ASF rules
Maven Central repository area has a Maven2 repository format, governed by Maven
code + repository managers and other build/dependency tools reuse + Maven
Central reuse
In the past, both asked for SHA1 = the start of thinking that both checksums
files were forced to be the same
When Apache Software Foundation started to require sha512 but not Maven2
repository format, we started to see the mix
then when I read the issue title "create correct SHA512 content", it all
summarises the lack of clarity: "correct" for which rules?
Because at least, one this ASF and Maven share is that SHA-512 algorithm value
is the same: now, what should be the format of the .sha512 file in each case is
another question
was (Author: hboutemy):
bq. Hm, after rereading original issue: "the created SHA512 which is used for
the distribution area" – is it maybe us misinterpreting this?
+1
there are 2 separate needs that are constantly conflated.
I'll show 1 concrete example = the binary distribution of Maven 3.8.4
apache-maven-3.8.4-bin.zip :
- there is the sha512 file from Apache distribution area ("Apache distribution
area" is ASF specific, obviously):
https://archive.apache.org/dist/maven/maven-3/3.8.4/binaries/
- there is (eventually) the sha512 from Maven Central repository:
https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/ :
you'll see we even did not publish sha512 here (because Maven core does not use
the shared ASF parent POM)
let's look at maven wagon wagon-3.5.1-source-release.zip, that uses (like most
of our Maven releases) the ASF parent POM for that source-release part:
- Apache distribution area ("Apache distribution area" is ASF specific,
obviously): https://archive.apache.org/dist/maven/wagon/
- Maven Central repository:
https://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/3.5.1/
Apache distribution area is free form of Apache Software Foundation, governed
by ASF rules
Maven Central repository area has a Maven2 repository format, governed by Maven
code + repository managers and other build/dependency tools reuse + Maven
Central reuse
In the past, both asked for SHA1 = the start of thinking that both checksums
files were forced to be the same
When Apache Software Foundation started to require sha512 but not Maven2
repository format, we started to see the mix
> Create correct SHA512 content
> -----------------------------
>
> Key: MPOM-282
> URL: https://issues.apache.org/jira/browse/MPOM-282
> Project: Maven POMs
> Issue Type: Improvement
> Components: asf
> Reporter: Karl Heinz Marbaise
> Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
