[GitHub] [maven-apache-parent] kwin commented on pull request #40: [MPOM-244] upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-947456326 You are right that the format is not stated on https://www.apache.org/info/verification.html but I would conclude that from https://infra.apache.org/release-signing.html#basic-facts > and another file containing a SHA or MD5) checksum. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: [MPOM-244] upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-947445073 I do agree with > I consider SHA-2 for Maven Central as mostly pointless and pure waste of CPU cycles. but the same is true for MD5 and SHA1. It would have been wise to use a (non-secure) hash = checksum for Maven in the first place, but this is outside the scope of this issue. The format of hashes in Apache Dist are standardized among all ASF projects and the information from https://www.apache.org/info/verification.html implies that you MUST(!) use the raw hash in the files! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: [MPOM-244] upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-947361194 ASF mandates this format: https://www.apache.org/info/verification.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: [MPOM-244] upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-857421992 @hboutemy See my answer in https://github.com/apache/maven-apache-parent/pull/40#issuecomment-831703133 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-849530137 I rather meant handled by throwing an exception if the checksum artifact name collides with one of the attached artifacts. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-849482193 I think this should be handled in the resolver in https://github.com/apache/maven-resolver/blob/17ea285d40e8cdd183d45b074f74aae6d9f3d3fc/maven-resolver-connector-basic/src/main/java/org/eclipse/aether/connector/basic/BasicRepositoryConnector.java#L286. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-849012702 I answered the first question already in https://github.com/apache/maven-apache-parent/pull/40#issuecomment-831703133: > Although the SHA-512 artifact being calculated by the checksum-maven-plugin will get another MD5/SHA1 checksum when being deployed that IMHO doesn't do any harm. For the 2nd question, I have not tried, but most probably resolver will just overwrite the existing file, for now this isn't an issue, because I don't see a reason why ASF projects should generate SHA-512 by Maven Resolver, it won't ever be enabled by default for performance reasons. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-846447592 I can do that but for clarity reason I would still reorder in the pin -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-846429451 files goal does never attach with a classifier, therefore we can't use it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-apache-parent] kwin commented on pull request #40: MPOM-244 upload SHA-512 only for source-release to staging repo
kwin commented on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-845799597 Let me summarize the status quo (without PR): 1. `gpg-maven-plugin:sign` executed in phase `verify`, calculates ASC files for almost all attached files (except for MD5, SHA1 and ASC) 1. `checksum-maven-plugin:files` executed in phase `verify`, calculates the checksum based on filename (considering the extension) but does not attach it With this PR the order is inverted: 1. `checksum-maven-plugin:artifacts` executed in phase `verify`, calculates the checksum based on classifier (disregarding the extension) and attaching it to project 1. `gpg-maven-plugin:sign` executed in phase `verify`, calculates ASC files for almost all attached files (except for MD5, SHA1, SHA-512 and ASC) Without the inverted order the `checksum-maven-plugin` would calculate a checksum for the `ASC` for `source-release` as well, which is certainly not desired. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org