Hello, Thanks for the feedback. I've written my thoughts below. On Thu, Apr 19, 2018 at 2:48 PM, sebb <[email protected]> wrote:
> MD5 hashes are now deprecated and should please be removed from the > download area (and download page) > If we look at the download area of Xerces, i.e http://xerces.apache.org/mirrors.cgi The previous Xerces-J release (2.11.0) has published a MD5 hash, that's why I included it. But you're right in saying, " MD5 hashes are now deprecated". The release signing information at, http://www.apache.org/dev/release-signing.html#md5 says, "Please note that the security of MD5 is now questionable and is only useful as part of a defense in depth.". I think, this wording still gives us permission to use MD5 hashes (via this, " and is only useful as part of a defense in depth"). > Tags are not immutable, so for definiteness please include the > revision in VOTE mails; > > for example > > Last Changed Rev: 26416 > > > > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/ > > Directory revision:1829504 (of 1829520) > > > [3] > > http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_ > 12_0-xml-schema-1.1/ > > Directory revision:1829505 (of 1829520) > > I used this mail as template for the VOTE mail, https://markmail.org/message/clmyb53ju4jtghb4 that Michael Glavassevich wrote for the 2.10.0 release. This mentions only the URLs of the Tag locations. No revision information is mentioned over there. -- Regards, Mukul Gandhi
