+1 from me, too.
On Thu, Apr 14, 2016 at 12:12 PM, Pierre Villard <
pierre.villard...@gmail.com> wrote:
> +1
>
> Pierre
>
> 2016-04-14 14:24 GMT+02:00 Joe Percivall :
>
> > +1
> > - - - - - - Joseph Percivalllinkedin.com/in/Percivalle:
> >
+1
Pierre
2016-04-14 14:24 GMT+02:00 Joe Percivall :
> +1
> - - - - - - Joseph Percivalllinkedin.com/in/Percivalle:
> joeperciv...@yahoo.com
>
>
> On Thursday, April 14, 2016 7:55 AM, Joe Skora
> wrote:
>
>
> +1 for SHA256
>
> Whatever
+1
- - - - - - Joseph Percivalllinkedin.com/in/Percivalle: joeperciv...@yahoo.com
On Thursday, April 14, 2016 7:55 AM, Joe Skora wrote:
+1 for SHA256
Whatever process produces the checksums it would be nice if the checksum
files could be made compatible with the
+1 for SHA256
Whatever process produces the checksums it would be nice if the checksum
files could be made compatible with the "--check" option on the md5sum,
sha1sum, and sha256sum commands to simplify validation.
That format is "". With the checksum in
that format, running "md5sum --check
Fair enough. OpenSSL is pretty universal, but there are also OS-specific
commands to perform the same task.
Andy LoPresto
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Apr 13, 2016, at 20:13, Aldrin Piri wrote:
>
>
As far as the wrapper script, I'm in favor of the manual process for the
SHA256. The arbitrary shell commands/processes in the Maven build feel too
brittle across operating systems and this is multiplied in conjunction with
a maintained follow on script(s). Overall would prefer just incurring
Tony,
That’s definitely a valid concern that I’m sure benefits all release managers
to review. The conversation below is regarding the checksums for data integrity
only; not the underlying hash used in the GPG signature process.
Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP
I was under the impression not using SHA-1 WAS part of our release, when we
were gpg signing (based off of [1]), which I assumed was the preferred form
of assuring an artifact was not "bad". However, it looks like it isn't in
our checklist to confirm that SHA-1 wasn't used to make the digital
Obviously a +1 for me. With regard to the plugin not supporting it, can’t Maven
execute arbitrary Java/shell commands during build [1]? The issue on MINSTALL
has been open since December 2012. I understand we might need a script wrapper
to handle cross-platform functionality, but this might be
+1
> On Apr 13, 2016, at 6:13 PM, Aldrin Piri wrote:
>
> This was mentioned in the vote thread for the RC2 release and wanted to
> separate it out to keep the release messaging streamlined. As mentioned by
> Andy, the MD5 and SHA1 are subject to collisions. From another
+1. I should have done it this time.
On Wed, Apr 13, 2016 at 9:13 PM, Aldrin Piri wrote:
> This was mentioned in the vote thread for the RC2 release and wanted to
> separate it out to keep the release messaging streamlined. As mentioned by
> Andy, the MD5 and SHA1 are
This was mentioned in the vote thread for the RC2 release and wanted to
separate it out to keep the release messaging streamlined. As mentioned by
Andy, the MD5 and SHA1 are subject to collisions. From another viewpoint, I
like having this as part of the official release process as I typically
12 matches
Mail list logo