[GitHub] commons-pool pull request #4: POOL-337: EvictionTimer does not remove cancel...

[cdeneux]

GitHub user cdeneux opened a pull request:

https://github.com/apache/commons-pool/pull/4

POOL-337: EvictionTimer does not remove cancelled tasks

EvictionTimer does not remove cancelled tasks from the executor, and so a 
memory leak occurs.

Thanks to Reinald Verheij for the patch

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/petalslink/commons-pool POOL-337

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/commons-pool/pull/4.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #4


commit ec8b7769585bcb86a42a53a2d939c271194ebe9d
Author: cdeneux 
Date:   2018-02-28T17:25:06Z

POOL-337: EvictionTimer does not remove cancelled tasks from the executor




---

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[GitHub] commons-pool issue #4: POOL-337: EvictionTimer does not remove cancelled tas...

[coveralls]

Github user coveralls commented on the issue:

https://github.com/apache/commons-pool/pull/4
  

[![Coverage 
Status](https://coveralls.io/builds/15805552/badge)](https://coveralls.io/builds/15805552)

Coverage increased (+0.06%) to 84.784% when pulling 
**ec8b7769585bcb86a42a53a2d939c271194ebe9d on petalslink:POOL-337** into 
**30d5db67a2cd0bf3d9a2dd7ffaa7dd247760a9bd on apache:master**.



---

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[GitHub] commons-pool issue #4: POOL-337: EvictionTimer does not remove cancelled tas...

[coveralls]

Github user coveralls commented on the issue:

https://github.com/apache/commons-pool/pull/4
  

[![Coverage 
Status](https://coveralls.io/builds/15805552/badge)](https://coveralls.io/builds/15805552)

Coverage increased (+0.06%) to 84.784% when pulling 
**ec8b7769585bcb86a42a53a2d939c271194ebe9d on petalslink:POOL-337** into 
**30d5db67a2cd0bf3d9a2dd7ffaa7dd247760a9bd on apache:master**.



---

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [VOTE][LAZY] Release Commons Release Plugin 1.1 based on RC4

[Rob Tompkins]

Here’s my +1.

> On Mar 2, 2018, at 8:03 AM, Rob Tompkins  wrote:
> 
> Hello all,
> 
> This is a [VOTE][LAZY] for releasing Apache Commons Release Plugin 1.1 (from 
> RC4).
> 
> Tag name:
>   commons-release-plugin-1.1-RC4 (signature can be checked from git using 
> 'git tag
> -v')
> 
> Tag URL:
>   
> https://git-wip-us.apache.org/repos/asf?p=commons-release-plugin.git;a=tag;h=054b877cb533ae849383255a2333546bf8bd5fc3
> 
> Commit ID the tag points at:
>d71325b42726d5c2e94ba1bcb6d64ae0129fd647
> 
> Site Zip:
>   
> https://dist.apache.org/repos/dist/dev/commons/commons-release-plugin/site.zip
> 
> Distribution files (committed at revision 25367):
>   https://dist.apache.org/repos/dist/dev/commons/commons-release-plugin/
> 
> Distribution files hashes (SHA1):
>   commons-release-plugin-1.1-bin.tar.gz
>   (SHA: 5322ccbf5de3fbbf3982663f91105f1b44acc149)
>   commons-release-plugin-1.1-bin.zip
>   (SHA1: 851d41b781b011a11d235fde956b5883d2512d57)
>   commons-release-plugin-1.1-src.tar.gz
>   (SHA1: 7452d071da80c0029750d2ed7b3f3fa0f28b9606)
>   commons-release-plugin-1.1-src.zip
>   (SHA1: 22734fb124ed0e81d4aa83fef262f33eb52a01f0)
> 
> These are the Maven artifacts and their hashes:
>   commons-release-plugin-1.1-javadoc.jar
>   (SHA1: 45c9a231c425f1613cd31de3f04378e54389743e)
>   commons-release-plugin-1.1-sources.jar
>   (SHA1: 917657efe91153b81c1793e91b73a17caad0d3d3)
>   commons-release-plugin-1.1-test-sources.jar
>   (SHA1: 79c7de6f5aedfaf72384d220289f15c3d4015d59)
>   commons-release-plugin-1.1-tests.jar
>   (SHA1: b02ac57d5bb4259c0e5dac5880aabaaf93116ed3)
>   commons-release-plugin-1.1.jar
>   (SHA1: 916563e750f9f8445780d36b6e249a2b918f9605)
>   commons-release-plugin-1.1.pom
>   (SHA1: 9c81a117320f7a19486ab3392c1c9fa9cae78dd3)
> 
> KEYS file to check signatures:
>   http://www.apache.org/dist/commons/KEYS
> 
> Maven artifacts:
>   https://repository.apache.org/content/repositories/orgapachecommons-1307
> 
> Please select one of the following options[1]:
>  [ ] +1 Release it.
>  [ ] +0 Go ahead; I don't care.
>  [ ] -0 There are a few minor glitches: ...
>  [ ] -1 No, do not release it because ...
> 
> This vote will be open at least 72 hours, i.e. until 
> 2018-03-05T14:00:00Z
> (this is UTC time).
> 
> 
> Cheers,
> -Rob
> 
> [1] http://apache.org/foundation/voting.html


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[RESULT][VOTE][LAZY] Release Commons Release Plugin 1.1 based on RC4

[Rob Tompkins]

The vote passes with no down votes, and +1’s from:

Gary Gregory, and
Rob Tompkins.

I will proceed with promoting the release.

Cheers,
-Rob

> On Mar 2, 2018, at 8:03 AM, Rob Tompkins  wrote:
> 
> Hello all,
> 
> This is a [VOTE][LAZY] for releasing Apache Commons Release Plugin 1.1 (from 
> RC4).
> 
> Tag name:
>   commons-release-plugin-1.1-RC4 (signature can be checked from git using 
> 'git tag
> -v')
> 
> Tag URL:
>   
> https://git-wip-us.apache.org/repos/asf?p=commons-release-plugin.git;a=tag;h=054b877cb533ae849383255a2333546bf8bd5fc3
> 
> Commit ID the tag points at:
>d71325b42726d5c2e94ba1bcb6d64ae0129fd647
> 
> Site Zip:
>   
> https://dist.apache.org/repos/dist/dev/commons/commons-release-plugin/site.zip
> 
> Distribution files (committed at revision 25367):
>   https://dist.apache.org/repos/dist/dev/commons/commons-release-plugin/
> 
> Distribution files hashes (SHA1):
>   commons-release-plugin-1.1-bin.tar.gz
>   (SHA: 5322ccbf5de3fbbf3982663f91105f1b44acc149)
>   commons-release-plugin-1.1-bin.zip
>   (SHA1: 851d41b781b011a11d235fde956b5883d2512d57)
>   commons-release-plugin-1.1-src.tar.gz
>   (SHA1: 7452d071da80c0029750d2ed7b3f3fa0f28b9606)
>   commons-release-plugin-1.1-src.zip
>   (SHA1: 22734fb124ed0e81d4aa83fef262f33eb52a01f0)
> 
> These are the Maven artifacts and their hashes:
>   commons-release-plugin-1.1-javadoc.jar
>   (SHA1: 45c9a231c425f1613cd31de3f04378e54389743e)
>   commons-release-plugin-1.1-sources.jar
>   (SHA1: 917657efe91153b81c1793e91b73a17caad0d3d3)
>   commons-release-plugin-1.1-test-sources.jar
>   (SHA1: 79c7de6f5aedfaf72384d220289f15c3d4015d59)
>   commons-release-plugin-1.1-tests.jar
>   (SHA1: b02ac57d5bb4259c0e5dac5880aabaaf93116ed3)
>   commons-release-plugin-1.1.jar
>   (SHA1: 916563e750f9f8445780d36b6e249a2b918f9605)
>   commons-release-plugin-1.1.pom
>   (SHA1: 9c81a117320f7a19486ab3392c1c9fa9cae78dd3)
> 
> KEYS file to check signatures:
>   http://www.apache.org/dist/commons/KEYS
> 
> Maven artifacts:
>   https://repository.apache.org/content/repositories/orgapachecommons-1307
> 
> Please select one of the following options[1]:
>  [ ] +1 Release it.
>  [ ] +0 Go ahead; I don't care.
>  [ ] -0 There are a few minor glitches: ...
>  [ ] -1 No, do not release it because ...
> 
> This vote will be open at least 72 hours, i.e. until 
> 2018-03-05T14:00:00Z
> (this is UTC time).
> 
> 
> Cheers,
> -Rob
> 
> [1] http://apache.org/foundation/voting.html


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Fwd: checksum file Release Distribution Policy

[Gary Gregory]

Rob: How does this affect your release plugin?

Gary
-- Forwarded message --
From: Henk P. Penning 
Date: Mon, Mar 5, 2018 at 4:18 AM
Subject: checksum file Release Distribution Policy
To: he...@apache.org


Hi Pmcs,

   The Release Distribution Policy[1] changed regarding checksum files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

 MD5-file == a .md5 file
 SHA-file == a .sha1, sha256 or .sha512 file

  Old policy :

 -- MUST provide a MD5-file
 -- SHOULD provide a SHA-file [SHA-512 recommended]

  New policy :

 -- MUST provide a SHA- or MD5-file
 -- SHOULD provide a SHA-file
 -- SHOULD NOT provide a MD5-file

 Providing MD5 checksum files is now discouraged for new releases,
 but still allowed for past releases.

  Why this change :

 -- MD5 is broken for many purposes ; we should move away from it.
https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues

  Impact for PMCs :

 -- for new releases :
-- please do provide a SHA-file (one or more, if you like)
-- do NOT provide a MD5-file

 -- for past releases :
-- you are not required to change anything
-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
   it would be nice if you removed the MD5-file

 -- if, at the moment, you provide MD5-files,
please adjust your release tooling.

  Please mail me (he...@apache.org) if you have any questions etc.

  FYI :

   Many projects are not (entirely, strictly) checksum file compliant.
   For an overview/inventory (by project) see :

https://checker.apache.org/dist/unsummed.html

  At the moment :

 -- no checksum : 176 packages in 28 projects ; non-compliant
 -- only MD5: 495 packages in 44 projects ; update tooling
 -- only SHA: 135 packages in 13 projects ; now comliant

   In many cases, only a few (among many) checksum file are missing ;
   you may want to fix that.

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

  Thanks, groeten,

  Henk Penning -- apache.org infrastructure ; dist & mirrors.

   _
Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL

F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/

Re: checksum file Release Distribution Policy

[Rob Tompkins]

The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull that 
back in leu of adding sha512 and removing sha1, md5? I haven’t promoted the RC 
yet.

-Rob

> On Mar 5, 2018, at 10:27 AM, Gary Gregory  wrote:
> 
> Rob: How does this affect your release plugin?
> 
> Gary
> -- Forwarded message --
> From: Henk P. Penning mailto:penn...@uu.nl>>
> Date: Mon, Mar 5, 2018 at 4:18 AM
> Subject: checksum file Release Distribution Policy
> To: he...@apache.org 
> 
> 
> Hi Pmcs,
> 
>   The Release Distribution Policy[1] changed regarding checksum files.
>   See under "Cryptographic Signatures and Checksums Requirements" [2].
> 
> MD5-file == a .md5 file
> SHA-file == a .sha1, sha256 or .sha512 file
> 
>  Old policy :
> 
> -- MUST provide a MD5-file
> -- SHOULD provide a SHA-file [SHA-512 recommended]
> 
>  New policy :
> 
> -- MUST provide a SHA- or MD5-file
> -- SHOULD provide a SHA-file
> -- SHOULD NOT provide a MD5-file
> 
> Providing MD5 checksum files is now discouraged for new releases,
> but still allowed for past releases.
> 
>  Why this change :
> 
> -- MD5 is broken for many purposes ; we should move away from it.
>https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
> 
>  Impact for PMCs :
> 
> -- for new releases :
>-- please do provide a SHA-file (one or more, if you like)
>-- do NOT provide a MD5-file
> 
> -- for past releases :
>-- you are not required to change anything
>-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
>   it would be nice if you removed the MD5-file
> 
> -- if, at the moment, you provide MD5-files,
>please adjust your release tooling.
> 
>  Please mail me (he...@apache.org) if you have any questions etc.
> 
>  FYI :
> 
>   Many projects are not (entirely, strictly) checksum file compliant.
>   For an overview/inventory (by project) see :
> 
>https://checker.apache.org/dist/unsummed.html
> 
>  At the moment :
> 
> -- no checksum : 176 packages in 28 projects ; non-compliant
> -- only MD5: 495 packages in 44 projects ; update tooling
> -- only SHA: 135 packages in 13 projects ; now comliant
> 
>   In many cases, only a few (among many) checksum file are missing ;
>   you may want to fix that.
> 
>   [1] http://www.apache.org/dev/release-distribution
>   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> 
>  Thanks, groeten,
> 
>  Henk Penning -- apache.org infrastructure ; dist & mirrors.
> 
>    _
> Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
> Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
> Leuvenlaan 4, 3584CE Utrecht, NL
>   
> >
>F +31 30 253 4553 \_/ \_/
> http://www.staff.science.uu.nl/~penni101/ 
>  M penn...@uu.nl 
>  \_/

[VFS] Is there any documentation on creating a new provider?

[Otto Fowler]

Is there any documentation on what is required for creating support for a
new filesystem?
Or would anyone recommend an existing one in common or sandbox that is a
good simple example?

Thanks

ottO

Re: checksum file Release Distribution Policy

[sebb]

Surely the plugin should upload whatever it finds?

Or does the plugin create the hashes as well?

On 5 March 2018 at 15:51, Rob Tompkins  wrote:
> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull that 
> back in leu of adding sha512 and removing sha1, md5? I haven’t promoted the 
> RC yet.
>
> -Rob
>
>> On Mar 5, 2018, at 10:27 AM, Gary Gregory  wrote:
>>
>> Rob: How does this affect your release plugin?
>>
>> Gary
>> -- Forwarded message --
>> From: Henk P. Penning mailto:penn...@uu.nl>>
>> Date: Mon, Mar 5, 2018 at 4:18 AM
>> Subject: checksum file Release Distribution Policy
>> To: he...@apache.org 
>>
>>
>> Hi Pmcs,
>>
>>   The Release Distribution Policy[1] changed regarding checksum files.
>>   See under "Cryptographic Signatures and Checksums Requirements" [2].
>>
>> MD5-file == a .md5 file
>> SHA-file == a .sha1, sha256 or .sha512 file
>>
>>  Old policy :
>>
>> -- MUST provide a MD5-file
>> -- SHOULD provide a SHA-file [SHA-512 recommended]
>>
>>  New policy :
>>
>> -- MUST provide a SHA- or MD5-file
>> -- SHOULD provide a SHA-file
>> -- SHOULD NOT provide a MD5-file
>>
>> Providing MD5 checksum files is now discouraged for new releases,
>> but still allowed for past releases.
>>
>>  Why this change :
>>
>> -- MD5 is broken for many purposes ; we should move away from it.
>>https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
>>
>>  Impact for PMCs :
>>
>> -- for new releases :
>>-- please do provide a SHA-file (one or more, if you like)
>>-- do NOT provide a MD5-file
>>
>> -- for past releases :
>>-- you are not required to change anything
>>-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
>>   it would be nice if you removed the MD5-file
>>
>> -- if, at the moment, you provide MD5-files,
>>please adjust your release tooling.
>>
>>  Please mail me (he...@apache.org) if you have any questions etc.
>>
>>  FYI :
>>
>>   Many projects are not (entirely, strictly) checksum file compliant.
>>   For an overview/inventory (by project) see :
>>
>>https://checker.apache.org/dist/unsummed.html
>>
>>  At the moment :
>>
>> -- no checksum : 176 packages in 28 projects ; non-compliant
>> -- only MD5: 495 packages in 44 projects ; update tooling
>> -- only SHA: 135 packages in 13 projects ; now comliant
>>
>>   In many cases, only a few (among many) checksum file are missing ;
>>   you may want to fix that.
>>
>>   [1] http://www.apache.org/dev/release-distribution
>>   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>
>>  Thanks, groeten,
>>
>>  Henk Penning -- apache.org infrastructure ; dist & mirrors.
>>
>>    _
>> Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
>> Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
>> Leuvenlaan 4, 3584CE Utrecht, NL
>> >  
>> >
>>F +31 30 253 4553 \_/ \_/
>> http://www.staff.science.uu.nl/~penni101/ 
>>  M penn...@uu.nl 
>>  \_/
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: checksum file Release Distribution Policy

[Rob Tompkins]

The plugin only finds the assemblies, and the .asc files. We’ve been using the 
created signatures from nexus. So, I actually am creating the same signature 
files in the plugin. So, we have some leeway in deciding what sorts of 
signatures we want to upload to the “dist” svn repo. The m2 artifacts, on the 
other hand, I am leaving alone entirely.

-Rob

> On Mar 5, 2018, at 11:27 AM, sebb  wrote:
> 
> Surely the plugin should upload whatever it finds?
> 
> Or does the plugin create the hashes as well?
> 
> On 5 March 2018 at 15:51, Rob Tompkins  wrote:
>> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull that 
>> back in leu of adding sha512 and removing sha1, md5? I haven’t promoted the 
>> RC yet.
>> 
>> -Rob
>> 
>>> On Mar 5, 2018, at 10:27 AM, Gary Gregory  wrote:
>>> 
>>> Rob: How does this affect your release plugin?
>>> 
>>> Gary
>>> -- Forwarded message --
>>> From: Henk P. Penning mailto:penn...@uu.nl>>
>>> Date: Mon, Mar 5, 2018 at 4:18 AM
>>> Subject: checksum file Release Distribution Policy
>>> To: he...@apache.org 
>>> 
>>> 
>>> Hi Pmcs,
>>> 
>>>  The Release Distribution Policy[1] changed regarding checksum files.
>>>  See under "Cryptographic Signatures and Checksums Requirements" [2].
>>> 
>>>MD5-file == a .md5 file
>>>SHA-file == a .sha1, sha256 or .sha512 file
>>> 
>>> Old policy :
>>> 
>>>-- MUST provide a MD5-file
>>>-- SHOULD provide a SHA-file [SHA-512 recommended]
>>> 
>>> New policy :
>>> 
>>>-- MUST provide a SHA- or MD5-file
>>>-- SHOULD provide a SHA-file
>>>-- SHOULD NOT provide a MD5-file
>>> 
>>>Providing MD5 checksum files is now discouraged for new releases,
>>>but still allowed for past releases.
>>> 
>>> Why this change :
>>> 
>>>-- MD5 is broken for many purposes ; we should move away from it.
>>>   https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
>>> 
>>> Impact for PMCs :
>>> 
>>>-- for new releases :
>>>   -- please do provide a SHA-file (one or more, if you like)
>>>   -- do NOT provide a MD5-file
>>> 
>>>-- for past releases :
>>>   -- you are not required to change anything
>>>   -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
>>>  it would be nice if you removed the MD5-file
>>> 
>>>-- if, at the moment, you provide MD5-files,
>>>   please adjust your release tooling.
>>> 
>>> Please mail me (he...@apache.org) if you have any questions etc.
>>> 
>>> FYI :
>>> 
>>>  Many projects are not (entirely, strictly) checksum file compliant.
>>>  For an overview/inventory (by project) see :
>>> 
>>>   https://checker.apache.org/dist/unsummed.html
>>> 
>>> At the moment :
>>> 
>>>-- no checksum : 176 packages in 28 projects ; non-compliant
>>>-- only MD5: 495 packages in 44 projects ; update tooling
>>>-- only SHA: 135 packages in 13 projects ; now comliant
>>> 
>>>  In many cases, only a few (among many) checksum file are missing ;
>>>  you may want to fix that.
>>> 
>>>  [1] http://www.apache.org/dev/release-distribution
>>>  [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>> 
>>> Thanks, groeten,
>>> 
>>> Henk Penning -- apache.org infrastructure ; dist & mirrors.
>>> 
>>>    _
>>> Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
>>> Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
>>> Leuvenlaan 4, 3584CE Utrecht, NL
>>> >>  
>>> >
>>>   F +31 30 253 4553 \_/ \_/
>>> http://www.staff.science.uu.nl/~penni101/ 
>>>  M penn...@uu.nl 
>>>  \_/
>> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: checksum file Release Distribution Policy

[Gary Gregory]

On Mon, Mar 5, 2018 at 8:51 AM, Rob Tompkins  wrote:

> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull
> that back in leu of adding sha512 and removing sha1, md5? I haven’t
> promoted the RC yet.
>

I would move the release along, then consider how do implement with the new
policy in a subsequent release.

Gary


>
> -Rob
>
> > On Mar 5, 2018, at 10:27 AM, Gary Gregory 
> wrote:
> >
> > Rob: How does this affect your release plugin?
> >
> > Gary
> > -- Forwarded message --
> > From: Henk P. Penning mailto:penn...@uu.nl>>
> > Date: Mon, Mar 5, 2018 at 4:18 AM
> > Subject: checksum file Release Distribution Policy
> > To: he...@apache.org 
> >
> >
> > Hi Pmcs,
> >
> >   The Release Distribution Policy[1] changed regarding checksum files.
> >   See under "Cryptographic Signatures and Checksums Requirements" [2].
> >
> > MD5-file == a .md5 file
> > SHA-file == a .sha1, sha256 or .sha512 file
> >
> >  Old policy :
> >
> > -- MUST provide a MD5-file
> > -- SHOULD provide a SHA-file [SHA-512 recommended]
> >
> >  New policy :
> >
> > -- MUST provide a SHA- or MD5-file
> > -- SHOULD provide a SHA-file
> > -- SHOULD NOT provide a MD5-file
> >
> > Providing MD5 checksum files is now discouraged for new releases,
> > but still allowed for past releases.
> >
> >  Why this change :
> >
> > -- MD5 is broken for many purposes ; we should move away from it.
> >https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
> >
> >  Impact for PMCs :
> >
> > -- for new releases :
> >-- please do provide a SHA-file (one or more, if you like)
> >-- do NOT provide a MD5-file
> >
> > -- for past releases :
> >-- you are not required to change anything
> >-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
> >   it would be nice if you removed the MD5-file
> >
> > -- if, at the moment, you provide MD5-files,
> >please adjust your release tooling.
> >
> >  Please mail me (he...@apache.org) if you have any questions etc.
> >
> >  FYI :
> >
> >   Many projects are not (entirely, strictly) checksum file compliant.
> >   For an overview/inventory (by project) see :
> >
> >https://checker.apache.org/dist/unsummed.html
> >
> >  At the moment :
> >
> > -- no checksum : 176 packages in 28 projects ; non-compliant
> > -- only MD5: 495 packages in 44 projects ; update tooling
> > -- only SHA: 135 packages in 13 projects ; now comliant
> >
> >   In many cases, only a few (among many) checksum file are missing ;
> >   you may want to fix that.
> >
> >   [1] http://www.apache.org/dev/release-distribution
> >   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> >
> >  Thanks, groeten,
> >
> >  Henk Penning -- apache.org infrastructure ; dist & mirrors.
> >
> >    _
> > Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
> > Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
> > Leuvenlaan 4, 3584CE Utrecht, NL
> >  NL&entry=gmail&source=g  Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>>
> >F +31 30 253 4553 \_/ \_/
> > http://www.staff.science.uu.nl/~penni101/  nl/~penni101/> M penn...@uu.nl  \_/
>
>

Re: checksum file Release Distribution Policy

[Rob Tompkins]

> On Mar 5, 2018, at 11:52 AM, Gary Gregory  wrote:
> 
>> On Mon, Mar 5, 2018 at 8:51 AM, Rob Tompkins  wrote:
>> 
>> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull
>> that back in leu of adding sha512 and removing sha1, md5? I haven’t
>> promoted the RC yet.
>> 
> 
> I would move the release along, then consider how do implement with the new
> policy in a subsequent release.

Yup. That’s the direction I was leaning. 

> 
> Gary
> 
> 
>> 
>> -Rob
>> 
>>> On Mar 5, 2018, at 10:27 AM, Gary Gregory 
>> wrote:
>>> 
>>> Rob: How does this affect your release plugin?
>>> 
>>> Gary
>>> -- Forwarded message --
>>> From: Henk P. Penning mailto:penn...@uu.nl>>
>>> Date: Mon, Mar 5, 2018 at 4:18 AM
>>> Subject: checksum file Release Distribution Policy
>>> To: he...@apache.org 
>>> 
>>> 
>>> Hi Pmcs,
>>> 
>>>  The Release Distribution Policy[1] changed regarding checksum files.
>>>  See under "Cryptographic Signatures and Checksums Requirements" [2].
>>> 
>>>MD5-file == a .md5 file
>>>SHA-file == a .sha1, sha256 or .sha512 file
>>> 
>>> Old policy :
>>> 
>>>-- MUST provide a MD5-file
>>>-- SHOULD provide a SHA-file [SHA-512 recommended]
>>> 
>>> New policy :
>>> 
>>>-- MUST provide a SHA- or MD5-file
>>>-- SHOULD provide a SHA-file
>>>-- SHOULD NOT provide a MD5-file
>>> 
>>>Providing MD5 checksum files is now discouraged for new releases,
>>>but still allowed for past releases.
>>> 
>>> Why this change :
>>> 
>>>-- MD5 is broken for many purposes ; we should move away from it.
>>>   https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
>>> 
>>> Impact for PMCs :
>>> 
>>>-- for new releases :
>>>   -- please do provide a SHA-file (one or more, if you like)
>>>   -- do NOT provide a MD5-file
>>> 
>>>-- for past releases :
>>>   -- you are not required to change anything
>>>   -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
>>>  it would be nice if you removed the MD5-file
>>> 
>>>-- if, at the moment, you provide MD5-files,
>>>   please adjust your release tooling.
>>> 
>>> Please mail me (he...@apache.org) if you have any questions etc.
>>> 
>>> FYI :
>>> 
>>>  Many projects are not (entirely, strictly) checksum file compliant.
>>>  For an overview/inventory (by project) see :
>>> 
>>>   https://checker.apache.org/dist/unsummed.html
>>> 
>>> At the moment :
>>> 
>>>-- no checksum : 176 packages in 28 projects ; non-compliant
>>>-- only MD5: 495 packages in 44 projects ; update tooling
>>>-- only SHA: 135 packages in 13 projects ; now comliant
>>> 
>>>  In many cases, only a few (among many) checksum file are missing ;
>>>  you may want to fix that.
>>> 
>>>  [1] http://www.apache.org/dev/release-distribution
>>>  [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>> 
>>> Thanks, groeten,
>>> 
>>> Henk Penning -- apache.org infrastructure ; dist & mirrors.
>>> 
>>>    _
>>> Henk P. Penning, ICT-beta R Uithof MG-403_/ \_
>>> Faculty of Science, Utrecht UniversityT +31 30 253 4106 / \_/ \
>>> Leuvenlaan 4, 3584CE Utrecht, NL
>>> > NL&entry=gmail&source=g > Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>>
>>>   F +31 30 253 4553 \_/ \_/
>>> http://www.staff.science.uu.nl/~penni101/ > nl/~penni101/> M penn...@uu.nl  \_/
>> 
>> 

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [VFS] Is there any documentation on creating a new provider?

[Hasan Diwan]

Otto,

On 5 March 2018 at 07:53, Otto Fowler  wrote:

> Is there any documentation on what is required for creating support for a
> new filesystem?
>


Perhaps https://commons.apache.org/proper/commons-vfs/api.html may be
useful?

> Or would anyone recommend an existing one in common or sandbox that is a
> good simple example?


There are a few sample implementations in the example package. -- H
-- 
OpenPGP:
https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using
http://bit.ly/hd1ScheduleRequest.
Si vous voudrais faire connnaisance, allez a
http://bit.ly/hd1ScheduleRequest.

Sent
from my mobile device
Envoye de mon portable

Re: [commons-release-plugin] Git Push Summary

[Rob Tompkins]

Not voted on in dev list.

> On Mar 5, 2018, at 12:42 PM, chtom...@apache.org wrote:
> 
> Repository: commons-release-plugin
> Updated Tags:  refs/tags/commons-release-plugin-1.1-RC3 [deleted] e8219ec15


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [commons-release-plugin] Git Push Summary

[Rob Tompkins]

Not voted on in email.

> On Mar 5, 2018, at 12:42 PM, chtom...@apache.org wrote:
> 
> Repository: commons-release-plugin
> Updated Tags:  refs/tags/commons-release-plugin-1.1-RC1 [deleted] b45d5bb6a


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [VFS] Is there any documentation on creating a new provider?

[Otto Fowler]

Thanks Hasan,
I did read the API doc, but that is more towards using a filesystem, I’m
thinking about
creating a new provider.


On March 5, 2018 at 12:28:41, Hasan Diwan (hasan.di...@gmail.com) wrote:

Otto,

On 5 March 2018 at 07:53, Otto Fowler  wrote:

> Is there any documentation on what is required for creating support for a
> new filesystem?
>


Perhaps https://commons.apache.org/proper/commons-vfs/api.html may be
useful?

> Or would anyone recommend an existing one in common or sandbox that is a
> good simple example?


There are a few sample implementations in the example package. -- H
-- 
OpenPGP:
https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using
http://bit.ly/hd1ScheduleRequest.
Si vous voudrais faire connnaisance, allez a
http://bit.ly/hd1ScheduleRequest.

Sent

from my mobile device
Envoye de mon portable

Re: checksum file Release Distribution Policy

[Gilles]

On Mon, 5 Mar 2018 11:35:27 -0500, Rob Tompkins wrote:

The plugin only finds the assemblies, and the .asc files. We’ve been
using the created signatures from nexus. So, I actually am creating
the same signature files in the plugin. So, we have some leeway in
deciding what sorts of signatures we want to upload to the “dist” svn
repo.


For this, we should (IIUC):
  * not use MD5
  * use SHA-512

Does the plugin create those checksum files for the "full dist"
archive files for a multi-module maven project?

Gilles


[...]


Old policy :

   -- MUST provide a MD5-file
   -- SHOULD provide a SHA-file [SHA-512 recommended]

New policy :

   -- MUST provide a SHA- or MD5-file
   -- SHOULD provide a SHA-file
   -- SHOULD NOT provide a MD5-file

[...]



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: checksum file Release Distribution Policy

[Matt Sicker]

Do guidelines on which algorithm to use for GPG signing need to be added?

On 5 March 2018 at 13:18, Gilles  wrote:

> On Mon, 5 Mar 2018 11:35:27 -0500, Rob Tompkins wrote:
>
>> The plugin only finds the assemblies, and the .asc files. We’ve been
>> using the created signatures from nexus. So, I actually am creating
>> the same signature files in the plugin. So, we have some leeway in
>> deciding what sorts of signatures we want to upload to the “dist” svn
>> repo.
>>
>
> For this, we should (IIUC):
>   * not use MD5
>   * use SHA-512
>
> Does the plugin create those checksum files for the "full dist"
> archive files for a multi-module maven project?
>
> Gilles
>
> [...]
>>
>>>
> Old policy :
>
>-- MUST provide a MD5-file
>-- SHOULD provide a SHA-file [SHA-512 recommended]
>
> New policy :
>
>-- MUST provide a SHA- or MD5-file
>-- SHOULD provide a SHA-file
>-- SHOULD NOT provide a MD5-file
>
> [...]
>

>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>


-- 
Matt Sicker 

Re: checksum file Release Distribution Policy

[Rob Tompkins]

> On Mar 5, 2018, at 2:18 PM, Gilles  wrote:
> 
> On Mon, 5 Mar 2018 11:35:27 -0500, Rob Tompkins wrote:
>> The plugin only finds the assemblies, and the .asc files. We’ve been
>> using the created signatures from nexus. So, I actually am creating
>> the same signature files in the plugin. So, we have some leeway in
>> deciding what sorts of signatures we want to upload to the “dist” svn
>> repo.
> 
> For this, we should (IIUC):
>  * not use MD5
>  * use SHA-512

Should not use, to me, means that we, in our next release, will want to get rid 
of MD5 and use SHA-512.

> 
> Does the plugin create those checksum files for the "full dist"
> archive files for a multi-module maven project?
> 
> Gilles
> 
>> [...]
> 
> Old policy :
> 
>   -- MUST provide a MD5-file
>   -- SHOULD provide a SHA-file [SHA-512 recommended]
> 
> New policy :
> 
>   -- MUST provide a SHA- or MD5-file
>   -- SHOULD provide a SHA-file
>   -- SHOULD NOT provide a MD5-file
> 
> [...]
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org