Re: sha512

2018-10-18 Thread Raymond Auge 
One last thing, should the sha512 only be generated on the source-release
tarball and zips?

Just want to make sure. Traditionally Apache Felix listed the checksums on
the website. But if we don't have the checksums for the artifacts we can't
do that anymore unless we generated them manually.

- Ray

On Thu, Oct 18, 2018 at 4:31 AM Konrad Windszus  wrote:

>
>
> > On 18. Oct 2018, at 10:26, Bertrand Delacretaz 
> wrote:
> >
> > Note that http://www.apache.org/dev/release-distribution#sigs-and-sums
> > now says SHOULD supply sha-512 and SHOULD NOT supply md5.
>
> Actually it says in another paragraph:
>
> > For new releases, PMCs MUST supply SHA-256 and/or SHA-512;
>
>
> So this is mandatory to provide for new(!) releases.
>
>

-- 
*Raymond Augé* 
 (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
 (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance  (@OSGiAlliance)

Re: sha512

2018-10-18 Thread Konrad Windszus 



> On 18. Oct 2018, at 10:26, Bertrand Delacretaz  wrote:
> 
> Note that http://www.apache.org/dev/release-distribution#sigs-and-sums
> now says SHOULD supply sha-512 and SHOULD NOT supply md5.

Actually it says in another paragraph: 

> For new releases, PMCs MUST supply SHA-256 and/or SHA-512; 


So this is mandatory to provide for new(!) releases.

Re: sha512

2018-10-18 Thread Bertrand Delacretaz 
On Thu, Oct 18, 2018 at 8:24 AM Konrad Windszus  wrote:
> ...Also compare with 
> https://maven.apache.org/developers/release/maven-project-release-procedure.html.
> This is currently a process decoupled from the staging repo unfortunately...

I haven't followed all the details but I think
https://issues.apache.org/jira/browse/INFRA-14923 can get in the way.

Note that http://www.apache.org/dev/release-distribution#sigs-and-sums
now says SHOULD supply sha-512 and SHOULD NOT supply md5.

IIUC those requirements have been relaxed from MUST to SHOULD for now
as the tooling is not fully in place depending on your release
process. Which means it's fine to postpone those changes until the
tooling is here, if that makes things easier.

-Bertrand

Re: sha512

2018-10-17 Thread Konrad Windszus 
The latter. Also compare with 
https://maven.apache.org/developers/release/maven-project-release-procedure.html.
 This is currently a process decoupled from the staging repo unfortunately.
Konrad

Von meinem iPhone gesendet

> Am 18.10.2018 um 07:30 schrieb Carsten Ziegeler :
> 
> Yes, but if I downloaded the whole staging repository using our script, do I 
> get those shas or do I have to manually save them from the target directory?
> 
> Regards
> Carsten
> 
>> Am 18.10.2018 um 07:01 schrieb Jean-Baptiste Onofré:
>> They have to be on dist.apache.org.
>> Regards
>> JB
>>> Le 18 oct. 2018 à 06:49, à 06:49, Carsten Ziegeler  a 
>>> écrit:
>>> What does that mean? Are they not uploaded to the staging repository?
>>> 
>>> Regards
>>> Carsten
>>> 
 Am 17.10.2018 um 23:12 schrieb Raymond Auge:
 Ok, I was informed that the sha512 files are ONLY IN THE TARGET
>>> directory.
 
 We should add a note about this in the release management process.
 
 Thanks all,
 - Ray
 
 On Wed, Oct 17, 2018 at 4:30 PM Raymond Auge
>>> 
 wrote:
 
> So why didn't they get generated for this last release? I built the
> release on the weekend and I didn't get any sha512 files, I
>>> generated them
> myself as I was adding the files to the dist dir.
> 
> - Ray
> 
> On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop
>>> 
> wrote:
> 
>> for example, for declarative service, the scr/pom.xml currently
>>> uses the
>> latest felix-parent (version 6)
>> ->
>> 
>>  
>> org.apache.felix
>> felix-parent
>> 6
>> 
>> 
>> 
>> and the felix-parent version 6  uses apache parent 21 (which is the
>>> latest
>> release):
>> ->
>>  ^M
>> org.apache^M
>> apache^M
>> 21^M
>> ^M
>> ^M
>> 
>> and in the apache parent 21, I see this:
>> ->
>>  ^M
>>   org.apache.maven.plugins^M
>>   maven-gpg-plugin^M
>>   1.6^M
>>   ^M
>> ^M
>>   --digest-algo=SHA512^M
>> ^M
>>   ^M
>> ^M
>> 
>> so, it should be at fine at least for the scr, i guess ?
>> 
>> cheers
>> pierre
>> 
>> On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge
>>> 
>> wrote:
>> 
>>> Perhaps you're right. Perhaps that parent is just not applied to
>>> the
>>> projects I've released. I'll try it next time.
>>> 
>>> Thanks Carsten.
>>> 
>>> - Ray
>>> 
>>> On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler
>>> 
>>> wrote:
>>> 
 I thought if we use the latest Apache pom as a parent than this
>>> is
 solved. Isn't that the case?
 
 Carsten
 
> Am 17.10.2018 um 16:45 schrieb Raymond Auge:
> Hey everyone,
> 
> We really need to fix the build to do sha512 and remove MD5.
> 
> Anyone know the magic or can point me to an example where this
>>> is
> configured I'd appreciate it.
> 
> Thanks,
> 
 
 --
 Carsten Ziegeler
 Adobe Research Switzerland
 cziege...@apache.org
 
>>> 
>>> 
>>> --
>>> *Raymond Augé* 
>>>   (@rotty3000)
>>> Senior Software Architect *Liferay, Inc.* 
>>>   (@Liferay)
>>> Board Member & EEG Co-Chair, OSGi Alliance 
>>> (@OSGiAlliance)
>>> 
>> 
> 
> 
> --
> *Raymond Augé* 
>   (@rotty3000)
> Senior Software Architect *Liferay, Inc.* 
>   (@Liferay)
> Board Member & EEG Co-Chair, OSGi Alliance 
> (@OSGiAlliance)
> 
 
 
>>> 
>>> -- 
>>> Carsten Ziegeler
>>> Adobe Research Switzerland
>>> cziege...@apache.org
> 
> -- 
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org

Re: sha512

2018-10-17 Thread Carsten Ziegeler 
Yes, but if I downloaded the whole staging repository using our script, 
do I get those shas or do I have to manually save them from the target 
directory?


Regards
Carsten

Am 18.10.2018 um 07:01 schrieb Jean-Baptiste Onofré:

They have to be on dist.apache.org.

Regards
JB

Le 18 oct. 2018 à 06:49, à 06:49, Carsten Ziegeler  a 
écrit:

What does that mean? Are they not uploaded to the staging repository?

Regards
Carsten

Am 17.10.2018 um 23:12 schrieb Raymond Auge:

Ok, I was informed that the sha512 files are ONLY IN THE TARGET

directory.


We should add a note about this in the release management process.

Thanks all,
- Ray

On Wed, Oct 17, 2018 at 4:30 PM Raymond Auge



wrote:


So why didn't they get generated for this last release? I built the
release on the weekend and I didn't get any sha512 files, I

generated them

myself as I was adding the files to the dist dir.

- Ray

On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop



wrote:


for example, for declarative service, the scr/pom.xml currently

uses the

latest felix-parent (version 6)
->

  
 org.apache.felix
 felix-parent
 6
 
 

and the felix-parent version 6  uses apache parent 21 (which is the

latest

release):
->
  ^M
 org.apache^M
 apache^M
 21^M
 ^M
 ^M

and in the apache parent 21, I see this:
->
  ^M
   org.apache.maven.plugins^M
   maven-gpg-plugin^M
   1.6^M
   ^M
 ^M
   --digest-algo=SHA512^M
 ^M
   ^M
 ^M

so, it should be at fine at least for the scr, i guess ?

cheers
pierre

On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge



wrote:


Perhaps you're right. Perhaps that parent is just not applied to

the

projects I've released. I'll try it next time.

Thanks Carsten.

- Ray

On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler



wrote:


I thought if we use the latest Apache pom as a parent than this

is

solved. Isn't that the case?

Carsten

Am 17.10.2018 um 16:45 schrieb Raymond Auge:

Hey everyone,

We really need to fix the build to do sha512 and remove MD5.

Anyone know the magic or can point me to an example where this

is

configured I'd appreciate it.

Thanks,



--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org




--
*Raymond Augé* 
   (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
   (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance 
(@OSGiAlliance)






--
*Raymond Augé* 
   (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
   (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance 
(@OSGiAlliance)






--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org




--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org

Re: sha512

2018-10-17 Thread Jean-Baptiste Onofré 
They have to be on dist.apache.org.

Regards
JB

Le 18 oct. 2018 à 06:49, à 06:49, Carsten Ziegeler  a 
écrit:
>What does that mean? Are they not uploaded to the staging repository?
>
>Regards
>Carsten
>
>Am 17.10.2018 um 23:12 schrieb Raymond Auge:
>> Ok, I was informed that the sha512 files are ONLY IN THE TARGET
>directory.
>>
>> We should add a note about this in the release management process.
>>
>> Thanks all,
>> - Ray
>>
>> On Wed, Oct 17, 2018 at 4:30 PM Raymond Auge
>
>> wrote:
>>
>>> So why didn't they get generated for this last release? I built the
>>> release on the weekend and I didn't get any sha512 files, I
>generated them
>>> myself as I was adding the files to the dist dir.
>>>
>>> - Ray
>>>
>>> On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop
>
>>> wrote:
>>>
 for example, for declarative service, the scr/pom.xml currently
>uses the
 latest felix-parent (version 6)
 ->

  
 org.apache.felix
 felix-parent
 6
 
 

 and the felix-parent version 6  uses apache parent 21 (which is the
>latest
 release):
 ->
  ^M
 org.apache^M
 apache^M
 21^M
 ^M
 ^M

 and in the apache parent 21, I see this:
 ->
  ^M
   org.apache.maven.plugins^M
   maven-gpg-plugin^M
   1.6^M
   ^M
 ^M
   --digest-algo=SHA512^M
 ^M
   ^M
 ^M

 so, it should be at fine at least for the scr, i guess ?

 cheers
 pierre

 On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge
>
 wrote:

> Perhaps you're right. Perhaps that parent is just not applied to
>the
> projects I've released. I'll try it next time.
>
> Thanks Carsten.
>
> - Ray
>
> On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler
>
> wrote:
>
>> I thought if we use the latest Apache pom as a parent than this
>is
>> solved. Isn't that the case?
>>
>> Carsten
>>
>> Am 17.10.2018 um 16:45 schrieb Raymond Auge:
>>> Hey everyone,
>>>
>>> We really need to fix the build to do sha512 and remove MD5.
>>>
>>> Anyone know the magic or can point me to an example where this
>is
>>> configured I'd appreciate it.
>>>
>>> Thanks,
>>>
>>
>> --
>> Carsten Ziegeler
>> Adobe Research Switzerland
>> cziege...@apache.org
>>
>
>
> --
> *Raymond Augé* 
>   (@rotty3000)
> Senior Software Architect *Liferay, Inc.* 
>   (@Liferay)
> Board Member & EEG Co-Chair, OSGi Alliance 
> (@OSGiAlliance)
>

>>>
>>>
>>> --
>>> *Raymond Augé* 
>>>   (@rotty3000)
>>> Senior Software Architect *Liferay, Inc.* 
>>>   (@Liferay)
>>> Board Member & EEG Co-Chair, OSGi Alliance 
>>> (@OSGiAlliance)
>>>
>>
>>
>
>--
>Carsten Ziegeler
>Adobe Research Switzerland
>cziege...@apache.org

Re: sha512

2018-10-17 Thread Carsten Ziegeler 

What does that mean? Are they not uploaded to the staging repository?

Regards
Carsten

Am 17.10.2018 um 23:12 schrieb Raymond Auge:

Ok, I was informed that the sha512 files are ONLY IN THE TARGET directory.

We should add a note about this in the release management process.

Thanks all,
- Ray

On Wed, Oct 17, 2018 at 4:30 PM Raymond Auge 
wrote:


So why didn't they get generated for this last release? I built the
release on the weekend and I didn't get any sha512 files, I generated them
myself as I was adding the files to the dist dir.

- Ray

On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop 
wrote:


for example, for declarative service, the scr/pom.xml currently uses the
latest felix-parent (version 6)
->

 
org.apache.felix
felix-parent
6



and the felix-parent version 6  uses apache parent 21 (which is the latest
release):
->
 ^M
org.apache^M
apache^M
21^M
^M
^M

and in the apache parent 21, I see this:
->
 ^M
  org.apache.maven.plugins^M
  maven-gpg-plugin^M
  1.6^M
  ^M
^M
  --digest-algo=SHA512^M
^M
  ^M
^M

so, it should be at fine at least for the scr, i guess ?

cheers
pierre

On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge 
wrote:


Perhaps you're right. Perhaps that parent is just not applied to the
projects I've released. I'll try it next time.

Thanks Carsten.

- Ray

On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler 
wrote:


I thought if we use the latest Apache pom as a parent than this is
solved. Isn't that the case?

Carsten

Am 17.10.2018 um 16:45 schrieb Raymond Auge:

Hey everyone,

We really need to fix the build to do sha512 and remove MD5.

Anyone know the magic or can point me to an example where this is
configured I'd appreciate it.

Thanks,



--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org




--
*Raymond Augé* 
  (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
  (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance 
(@OSGiAlliance)






--
*Raymond Augé* 
  (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
  (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance 
(@OSGiAlliance)






--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org

Re: sha512

2018-10-17 Thread Raymond Auge 
Ok, I was informed that the sha512 files are ONLY IN THE TARGET directory.

We should add a note about this in the release management process.

Thanks all,
- Ray

On Wed, Oct 17, 2018 at 4:30 PM Raymond Auge 
wrote:

> So why didn't they get generated for this last release? I built the
> release on the weekend and I didn't get any sha512 files, I generated them
> myself as I was adding the files to the dist dir.
>
> - Ray
>
> On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop 
> wrote:
>
>> for example, for declarative service, the scr/pom.xml currently uses the
>> latest felix-parent (version 6)
>> ->
>>
>> 
>>org.apache.felix
>>felix-parent
>>6
>>
>>
>>
>> and the felix-parent version 6  uses apache parent 21 (which is the latest
>> release):
>> ->
>> ^M
>>org.apache^M
>>apache^M
>>21^M
>>^M
>>^M
>>
>> and in the apache parent 21, I see this:
>> ->
>> ^M
>>  org.apache.maven.plugins^M
>>  maven-gpg-plugin^M
>>  1.6^M
>>  ^M
>>^M
>>  --digest-algo=SHA512^M
>>^M
>>  ^M
>>^M
>>
>> so, it should be at fine at least for the scr, i guess ?
>>
>> cheers
>> pierre
>>
>> On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge 
>> wrote:
>>
>> > Perhaps you're right. Perhaps that parent is just not applied to the
>> > projects I've released. I'll try it next time.
>> >
>> > Thanks Carsten.
>> >
>> > - Ray
>> >
>> > On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler 
>> > wrote:
>> >
>> > > I thought if we use the latest Apache pom as a parent than this is
>> > > solved. Isn't that the case?
>> > >
>> > > Carsten
>> > >
>> > > Am 17.10.2018 um 16:45 schrieb Raymond Auge:
>> > > > Hey everyone,
>> > > >
>> > > > We really need to fix the build to do sha512 and remove MD5.
>> > > >
>> > > > Anyone know the magic or can point me to an example where this is
>> > > > configured I'd appreciate it.
>> > > >
>> > > > Thanks,
>> > > >
>> > >
>> > > --
>> > > Carsten Ziegeler
>> > > Adobe Research Switzerland
>> > > cziege...@apache.org
>> > >
>> >
>> >
>> > --
>> > *Raymond Augé* 
>> >  (@rotty3000)
>> > Senior Software Architect *Liferay, Inc.* 
>> >  (@Liferay)
>> > Board Member & EEG Co-Chair, OSGi Alliance 
>> > (@OSGiAlliance)
>> >
>>
>
>
> --
> *Raymond Augé* 
>  (@rotty3000)
> Senior Software Architect *Liferay, Inc.* 
>  (@Liferay)
> Board Member & EEG Co-Chair, OSGi Alliance 
> (@OSGiAlliance)
>


-- 
*Raymond Augé* 
 (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
 (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance  (@OSGiAlliance)

Re: sha512

2018-10-17 Thread Raymond Auge 
So why didn't they get generated for this last release? I built the release
on the weekend and I didn't get any sha512 files, I generated them myself
as I was adding the files to the dist dir.

- Ray

On Wed, Oct 17, 2018 at 4:26 PM Pierre De Rop 
wrote:

> for example, for declarative service, the scr/pom.xml currently uses the
> latest felix-parent (version 6)
> ->
>
> 
>org.apache.felix
>felix-parent
>6
>
>
>
> and the felix-parent version 6  uses apache parent 21 (which is the latest
> release):
> ->
> ^M
>org.apache^M
>apache^M
>21^M
>^M
>^M
>
> and in the apache parent 21, I see this:
> ->
> ^M
>  org.apache.maven.plugins^M
>  maven-gpg-plugin^M
>  1.6^M
>  ^M
>^M
>  --digest-algo=SHA512^M
>^M
>  ^M
>^M
>
> so, it should be at fine at least for the scr, i guess ?
>
> cheers
> pierre
>
> On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge 
> wrote:
>
> > Perhaps you're right. Perhaps that parent is just not applied to the
> > projects I've released. I'll try it next time.
> >
> > Thanks Carsten.
> >
> > - Ray
> >
> > On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler 
> > wrote:
> >
> > > I thought if we use the latest Apache pom as a parent than this is
> > > solved. Isn't that the case?
> > >
> > > Carsten
> > >
> > > Am 17.10.2018 um 16:45 schrieb Raymond Auge:
> > > > Hey everyone,
> > > >
> > > > We really need to fix the build to do sha512 and remove MD5.
> > > >
> > > > Anyone know the magic or can point me to an example where this is
> > > > configured I'd appreciate it.
> > > >
> > > > Thanks,
> > > >
> > >
> > > --
> > > Carsten Ziegeler
> > > Adobe Research Switzerland
> > > cziege...@apache.org
> > >
> >
> >
> > --
> > *Raymond Augé* 
> >  (@rotty3000)
> > Senior Software Architect *Liferay, Inc.* 
> >  (@Liferay)
> > Board Member & EEG Co-Chair, OSGi Alliance 
> > (@OSGiAlliance)
> >
>


-- 
*Raymond Augé* 
 (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
 (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance  (@OSGiAlliance)

Re: sha512

2018-10-17 Thread Pierre De Rop 
for example, for declarative service, the scr/pom.xml currently uses the
latest felix-parent (version 6)
->


   org.apache.felix
   felix-parent
   6
   
   

and the felix-parent version 6  uses apache parent 21 (which is the latest
release):
->
^M
   org.apache^M
   apache^M
   21^M
   ^M
   ^M

and in the apache parent 21, I see this:
->
^M
 org.apache.maven.plugins^M
 maven-gpg-plugin^M
 1.6^M
 ^M
   ^M
 --digest-algo=SHA512^M
   ^M
 ^M
   ^M

so, it should be at fine at least for the scr, i guess ?

cheers
pierre

On Wed, Oct 17, 2018 at 10:20 PM Raymond Auge 
wrote:

> Perhaps you're right. Perhaps that parent is just not applied to the
> projects I've released. I'll try it next time.
>
> Thanks Carsten.
>
> - Ray
>
> On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler 
> wrote:
>
> > I thought if we use the latest Apache pom as a parent than this is
> > solved. Isn't that the case?
> >
> > Carsten
> >
> > Am 17.10.2018 um 16:45 schrieb Raymond Auge:
> > > Hey everyone,
> > >
> > > We really need to fix the build to do sha512 and remove MD5.
> > >
> > > Anyone know the magic or can point me to an example where this is
> > > configured I'd appreciate it.
> > >
> > > Thanks,
> > >
> >
> > --
> > Carsten Ziegeler
> > Adobe Research Switzerland
> > cziege...@apache.org
> >
>
>
> --
> *Raymond Augé* 
>  (@rotty3000)
> Senior Software Architect *Liferay, Inc.* 
>  (@Liferay)
> Board Member & EEG Co-Chair, OSGi Alliance 
> (@OSGiAlliance)
>

Re: sha512

2018-10-17 Thread Raymond Auge 
Perhaps you're right. Perhaps that parent is just not applied to the
projects I've released. I'll try it next time.

Thanks Carsten.

- Ray

On Wed, Oct 17, 2018 at 4:03 PM Carsten Ziegeler 
wrote:

> I thought if we use the latest Apache pom as a parent than this is
> solved. Isn't that the case?
>
> Carsten
>
> Am 17.10.2018 um 16:45 schrieb Raymond Auge:
> > Hey everyone,
> >
> > We really need to fix the build to do sha512 and remove MD5.
> >
> > Anyone know the magic or can point me to an example where this is
> > configured I'd appreciate it.
> >
> > Thanks,
> >
>
> --
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org
>


-- 
*Raymond Augé* 
 (@rotty3000)
Senior Software Architect *Liferay, Inc.* 
 (@Liferay)
Board Member & EEG Co-Chair, OSGi Alliance  (@OSGiAlliance)

Re: sha512

2018-10-17 Thread Carsten Ziegeler 
I thought if we use the latest Apache pom as a parent than this is 
solved. Isn't that the case?


Carsten

Am 17.10.2018 um 16:45 schrieb Raymond Auge:

Hey everyone,

We really need to fix the build to do sha512 and remove MD5.

Anyone know the magic or can point me to an example where this is
configured I'd appreciate it.

Thanks,



--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org