Hi,
the INFRA ticket just got updated.
Could someone have a look whether I am describing the process/issue
correctly?
https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461830#comment-17461830
Thanks,
Til
Forwarded Message
Subject:[jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in
Nexus to check for sha256/512 instead of sha1/md5
Date: Sat, 18 Dec 2021 10:26:00 + (UTC)
From: Herve Boutemy (Jira)
To: tilma...@apache.org
[
https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461830#comment-17461830
]
Herve Boutemy edited comment on INFRA-22540 at 12/18/21, 10:25 AM:
---
we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks
in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile
but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]
at least, please consider the difference in policy of Apache source
release archive vs any other artifact published to Central if you change
something
was (Author: hboutemy):
we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks
in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile
but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]
at least, please consider the difference in policy of Apache release
source release vs any artifact published to Central if you change something
Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5
--
Key: INFRA-22540
URL: https://issues.apache.org/jira/browse/INFRA-22540
Project: Infrastructure
Issue Type: Improvement
Components: Nexus
Reporter: Tilmann Zäschke
Priority: Major
The Release Distribution Policy
(https://infra.apache.org/release-distribution) states:
"PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or
SHA-1.".
However, currently, the Apache Rules in Nexus appear to enforce that
all files (including .zip and .tar.gz) to have .sha1 and .md5
pendants. For our project "closing" a release candidate fails with:
Event: Failed: Checksum Validation
typeId checksum-staging
failureMessage Required SHA-1:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1'
failureMessage Required MD5:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5'
failureMessage Required SHA-1:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1'
failureMessage Required MD5:
'/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5' Can
the Apache Rules in Nexus be adapted to allow or even enforce that
files (other than .jar/.pom) to be signed with sha256/sha512 instead
of sha1/md5?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)