[
https://issues.apache.org/jira/browse/SPARK-23601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Apache Spark reassigned SPARK-23601:
------------------------------------
Assignee: Sean Owen (was: Apache Spark)
> Remove .md5 files from release
> ------------------------------
>
> Key: SPARK-23601
> URL: https://issues.apache.org/jira/browse/SPARK-23601
> Project: Spark
> Issue Type: Task
> Components: Build
> Affects Versions: 2.4.0
> Reporter: Sean Owen
> Assignee: Sean Owen
> Priority: Minor
>
> Per email from Henk to PMCs:
> {code}
> The Release Distribution Policy[1] changed regarding checksum files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
> MD5-file == a .md5 file
> SHA-file == a .sha1, sha256 or .sha512 file
> Old policy :
> -- MUST provide a MD5-file
> -- SHOULD provide a SHA-file [SHA-512 recommended]
> New policy :
> -- MUST provide a SHA- or MD5-file
> -- SHOULD provide a SHA-file
> -- SHOULD NOT provide a MD5-file
> Providing MD5 checksum files is now discouraged for new releases,
> but still allowed for past releases.
> Why this change :
> -- MD5 is broken for many purposes ; we should move away from it.
> https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
> Impact for PMCs :
> -- for new releases :
> -- please do provide a SHA-file (one or more, if you like)
> -- do NOT provide a MD5-file
> -- for past releases :
> -- you are not required to change anything
> -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
> it would be nice if you removed the MD5-file
> -- if, at the moment, you provide MD5-files,
> please adjust your release tooling.
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
