Ah, oops, yes indeed they are reversed, my bad! I certainly agree with all
your points on why it is a good idea, and will update our template after
the release to make sure we do it in the future. Is it better practice to
include the full checksum, or would truncated to the first 8 or so
characters
Full checksum. An attacker can easily generate a binary that matches a given 32
bit bit (8 digit) hash. That’s why we use SHA-256 or SHA-512.
If it helps, here is a typical Calcite vote email:
http://mail-archives.apache.org/mod_mbox/calcite-dev/201906.mbox/%3cCA+EpF8vwOceAeUjv+DJU=zqrkoqu3dwckw
+1 (binding)
src package:
- verified signature/hash
- compared source distribution contents against git tag (54d29e4)
- LICENSE, NOTICE, and DISCLAIMER are present
- unit tests passed
- licenses checked
- built binary distribution
- ran quickstart
bin package:
- verified signature/hash
- verifie
+1 (non-binding)
src package:
- verified signature and hash
- compiled source and ran unit tests
- ran integration tests
- ran RAT check
- checked LICENSE, NOTICE, DISCLAIMER
bin package:
- verified signature and hash
- ran quickstart batch and kafka ingestion tutorial
- checked LICENSE, NOTICE,
