[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385363#comment-17385363 ] Bertrand Delacretaz commented on SLING-7534: Ok, I'll change the download page to include the sha512 only for the "source zip" artifacts. I'm curious, why do we omit sha512 for binaries? Build performance, or because they're not Apache Releases? > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 43 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385367#comment-17385367
]
Konrad Windszus commented on SLING-7534:
{quote}I'm curious, why do we omit sha512 for binaries? Build performance, or
because they're not Apache Releases?
{quote}
https://github.com/apache/sling-parent/pull/10#issuecomment-752036257
> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
> Issue Type: Task
> Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 43
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD
> no longer provide MD5 checksums for new releases.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385349#comment-17385349 ] Konrad Windszus commented on SLING-7534: [~bdelacretaz] Thanks for the update but we IMHO never provide SHA512 for binaries, just for source releases. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 43 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385348#comment-17385348 ] Bertrand Delacretaz commented on SLING-7534: I have updated https://sling.apache.org/downloads.cgi to include links to the sha512 digests ([commit bc6efc08|https://github.com/apache/sling-site/commit/bc6efc08c83cdfcb6f00ee7f325626827885926e]), with a warning that some sha* links do not work in this transition phase - which might last quite a long time or actually forever for older releases that won't be updated. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 43 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17351181#comment-17351181 ] Konrad Windszus commented on SLING-7534: [~enorman] Thanks for noticing, is fixed now in https://github.com/apache/sling-parent/commit/e2a34ea97f6256b6e4aa239c58a9e14d4a7375b4. Managing the plugin version is not necessary at all. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 42 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17351168#comment-17351168
]
Eric Norman commented on SLING-7534:
It looks to me that you have the wrong version number for the
checksum-maven-plugin, it should be "1.10" instead of "1.10.0"
Currently these warnings are logged:
{noformat}
[WARNING] The POM for
net.nicoulaj.maven.plugins:checksum-maven-plugin:jar:1.10.0 is missing, no
dependency information available
[WARNING] Failed to retrieve plugin descriptor for
net.nicoulaj.maven.plugins:checksum-maven-plugin:1.10.0: Plugin
net.nicoulaj.maven.plugins:checksum-maven-plugin:1.10.0 or one of its
dependencies could not be resolved: Failure to find
net.nicoulaj.maven.plugins:checksum-maven-plugin:jar:1.10.0 in
http://repo:8081/repository/maven-public/ was cached in the local repository,
resolution will not be reattempted until the update interval of enapps-central
has elapsed or updates are forced{noformat}
> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
> Issue Type: Task
> Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 42
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD
> no longer provide MD5 checksums for new releases.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17340109#comment-17340109 ] Robert Munteanu commented on SLING-7534: [~kwin] - I created sub-tasks for the check script and the Commiter CLI. I won't be able to work on that on the short term, maybe someone else finds the time. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 42 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17339703#comment-17339703 ] Konrad Windszus commented on SLING-7534: [~rombert] Can you take up adjusting [https://github.com/apache/sling-tooling-release/blob/master/check_staged_release.sh] to check for the mandatory SHA512 for source-release artifacts? I am not that familiar with Bash > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 42 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17339641#comment-17339641 ] Konrad Windszus commented on SLING-7534: With [https://github.com/apache/sling-parent/commit/d5590df5680dc569a8598918fa7fadfbe7bab975] we attach SHA-512 checksums to the build (to upload to the Nexus Staging Repo and to ease pushing to dist) > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 42 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17246378#comment-17246378 ] Bertrand Delacretaz commented on SLING-7534: I don't have time to look at this myself at the moment, I suggest that we keep this ticket open anyway. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 41 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17246078#comment-17246078 ] Michael Osipov commented on SLING-7534: --- Were you guys able to sort this out? I consider this one as wontfix because you cannot disable the rules on repository.a.o as well as on Maven Central for checksum presence. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 41 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208700#comment-17208700
]
Michael Osipov commented on SLING-7534:
---
Just produced
https://repository.apache.org/content/repositories/snapshots/org/apache/maven/apache-maven/3.7.0-SNAPSHOT/
as well as
https://repository.apache.org/content/repositories/snapshots/org/apache/maven/resolver/maven-resolver/1.6.2-SNAPSHOT/
with
{noformat}
$ ~/var/apache-maven-3.7.0-SNAPSHOT/bin/mvn -V deploy -Papache-release
-Daether.checksums.algorithms="SHA-512,SHA-256,SHA-1,MD5" -Dgpg.skip
-Dmaven.javadoc.skip
{noformat}
It can't be easier.
> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
> Issue Type: Task
> Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 40
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD
> no longer provide MD5 checksums for new releases.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208628#comment-17208628
]
Michael Osipov commented on SLING-7534:
---
Deploying checkusm to a repo is documented
[here|https://maven.apache.org/resolver-archives/resolver-LATEST/configuration.html].
Use Resolver 1.6.1 and add
{{-D{{aether.checksums.algorithms}}=SHA-512,SHA-256,SHA-1,MD5}}. Try that with
snapshots first.
> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
> Issue Type: Task
> Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 40
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD
> no longer provide MD5 checksums for new releases.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208551#comment-17208551
]
Bertrand Delacretaz commented on SLING-7534:
Thank you [~michael-o] for this and especially for the clarifications on how
Maven and Nexus handle these things.
With this additional info I think the key elements are:
* As per [https://infra.apache.org/release-distribution#sigs-and-sums], our
Apache Releases _must supply SHA-256 and/or SHA-512 and should not supply MD5
or SHA-1_.
* On the Maven side of things, hashes are only used for file integrity checks,
so not as critical considering that people should validate the file signatures
anyway if they care about authenticity.
So I think we can "just" adapt our [release
process|https://sling.apache.org/documentation/development/release-management.html]
and tools so that SHA-256 or SHA-512 hashes are added to whatever we upload to
[https://dist.apache.org|https://dist.apache.org/] and we'll be good.
As per INFRA-14923, Nexus will not generate those hashes but we do need them in
the staging repositories that we deploy to
[https://repository.apache.org|https://repository.apache.org/] - so based on
Michael's explanations I suppose including them in the artifacts that are
copied by {{maven-install-plugin}} should work.
Building the {{sling-org-apache-sling-api}} module (as an example) with the
{{apache-release}} Maven profile active does generate an
*{{source-release.zip.sha512}} hash, but it's not installed in the local
repository - that might be the only thing we need to fix?
> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
> Issue Type: Task
> Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 40
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD
> no longer provide MD5 checksums for new releases.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208168#comment-17208168 ] Michael Osipov commented on SLING-7534: --- Here is a lot of fuzz and non-sense going on. I think I need to break a stab here: First of all, a Maven 2 repo always includes MD5 and SHA-1 checksums. You cannot remove it. This is enforced and mandated by Nexus. I have talked with Brian Fox about this (see dev@maven some time ago), this is also not so easy to solve for Maven Central. Sonatype is analyzing the issue, but SHA-256 and SHA-512 are not required in Central. SHA-2 and SHA-3 perform really really slow compared to Blake. I am quite certain that this will lead to issues in the future and must be considered to allow Blake3 hashes as well for maximum perf. Now the important thing: You are completely mixing Apache release process requirements and Maven transport of artifacts: * Release: you must upload source-release.zip with SHA-2 family hash for dist. Period. How you generate it is completely your problem. * maven-install-plugin: It's sole task to copy all artifacts in the reactor to the local Maven repo. That's it. * maven-deploy-plugin: It's sole task is to copy all artifacts in the reactor which are locally installed to a remote location by using Maven Artifact Transfer which uses Maven Resolver. No checksums are generated by maven-deploy-plugin or Maven Artifact Transfer. Excourse: What are hashes used for with Maven? It is used to detect bitrot during transfer, i.e., has the file being corrupt by some transport mechanism. By no means to verify its authenticity (hello signatures). Maven Resolver generates those checksums and hands them off to a transport implementation to avoid bitrot. No more, no less. All checksums are opaque and an implementation detail of Maven Resolver, they are not and must not be exposed to any upper level. Maven does not care where an artifact came from, all it cares its integerity has been verified by some means and it is available in the local repo. When you configure Resolver to generate SHA-256 for the transport it will do on all requests files (artifacts), if not file an issue. You will *not* have access to those checksums. If you need checksums for your disposal at release time go exactly here: https://github.com/apache/maven/blob/master/apache-maven/pom.xml#L310-L336 > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 40 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208092#comment-17208092 ] Andrea Tarocchi commented on SLING-7534: [~kwin] If I got all this correctly: https://issues.apache.org/jira/browse/MRESOLVER-140 has been reverted so we need to use `net.nicoulaj.maven.plugins:checksum-maven-plugin``` to generate sha512/256 checksum, but then those checksum files are md5/sha1 checked again during upload to nexus? > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 40 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208086#comment-17208086 ] Konrad Windszus commented on SLING-7534: Due to performance reasons SHA512/256 won't ever be generated/uploaded by default in Maven (MRESOLVER-130). Therefore we have to use a dedicated plugin to generate SHA512, but currently this has poor support for uploading it to the Stage repository. For details look at https://github.com/apache/sling-parent/pull/10 > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 40 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums
[ https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17143303#comment-17143303 ] Konrad Windszus commented on SLING-7534: Due to several issues with manually generating checksums we are blocked until MRESOLVER-56 is released. > Release policy - stop providing MD5 and start providing SHA-512 checksums > - > > Key: SLING-7534 > URL: https://issues.apache.org/jira/browse/SLING-7534 > Project: Sling > Issue Type: Task > Components: Tooling >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Parent 40 > > Time Spent: 1.5h > Remaining Estimate: 0h > > See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD > no longer provide MD5 checksums for new releases. -- This message was sent by Atlassian Jira (v8.3.4#803005)
