Why not add SHA1 hashes? Gary
On Thu, Apr 19, 2018, 07:00 Mukul Gandhi <[email protected]> wrote: > Hi all, > With respect to the below mail thread between "sebb" and me, IMHO I > don't intend to restart the VOTE mail unless there is a more genuine reason > for the same. > > If anyone wishes to verify the signature and hashes of archive files as > published on the release candidates link, it would require downloading (or > you may take an update from SVN) the KEYS file from here " > https://svn.apache.org/repos/asf/xerces/java/trunk/KEYS"; which has my > public key. You'd need to add these public keys to your public key ring. > > Of course we're also looking for any functional feedbacks, about the > release candidate. > > This vote mail would progress as already started. Looking forward to your > votes. > > On Thu, Apr 19, 2018 at 3:16 PM, Mukul Gandhi <[email protected]> wrote: > >> Hello, >> Thanks for the feedback. I've written my thoughts below. >> >> On Thu, Apr 19, 2018 at 2:48 PM, sebb <[email protected]> wrote: >> >>> MD5 hashes are now deprecated and should please be removed from the >>> download area (and download page) >>> >> >> If we look at the download area of Xerces, i.e >> http://xerces.apache.org/mirrors.cgi >> >> The previous Xerces-J release (2.11.0) has published a MD5 hash, that's >> why I included it. But you're right in saying, " MD5 hashes are now >> deprecated". The release signing information at, >> http://www.apache.org/dev/release-signing.html#md5 says, >> "Please note that the security of MD5 is now questionable and is only >> useful as part of a defense in depth.". I think, this wording still gives >> us permission to use MD5 hashes (via this, " and is only useful as part >> of a defense in depth"). >> >> >>> Tags are not immutable, so for definiteness please include the >>> revision in VOTE mails; >>> >>> for example >>> >>> Last Changed Rev: 26416 >>> >>> >>> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/ >>> >>> Directory revision:1829504 (of 1829520) >>> >>> > [3] >>> > >>> http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/ >>> >>> Directory revision:1829505 (of 1829520) >>> >>> >> I used this mail as template for the VOTE mail, >> https://markmail.org/message/clmyb53ju4jtghb4 that Michael Glavassevich >> wrote for the 2.10.0 release. This mentions only the URLs of the Tag >> locations. No revision information is mentioned over there. >> > > > > -- > Regards, > Mukul Gandhi >
