Re: [VOTE] Incorporate SHA256 part of release process

+1 from me, too. On Thu, Apr 14, 2016 at 12:12 PM, Pierre Villard < pierre.villard...@gmail.com> wrote: > +1 > > Pierre > > 2016-04-14 14:24 GMT+02:00 Joe Percivall : > > > +1 > > - - - - - - Joseph Percivalllinkedin.com/in/Percivalle: > >

Re: [VOTE] Incorporate SHA256 part of release process

+1 Pierre 2016-04-14 14:24 GMT+02:00 Joe Percivall : > +1 > - - - - - - Joseph Percivalllinkedin.com/in/Percivalle: > joeperciv...@yahoo.com > > > On Thursday, April 14, 2016 7:55 AM, Joe Skora > wrote: > > > +1 for SHA256 > > Whatever

Re: [VOTE] Incorporate SHA256 part of release process

+1  - - - - - - Joseph Percivalllinkedin.com/in/Percivalle: joeperciv...@yahoo.com On Thursday, April 14, 2016 7:55 AM, Joe Skora wrote: +1 for SHA256 Whatever process produces the checksums it would be nice if the checksum files could be made compatible with the

Re: [VOTE] Incorporate SHA256 part of release process

+1 for SHA256 Whatever process produces the checksums it would be nice if the checksum files could be made compatible with the "--check" option on the md5sum, sha1sum, and sha256sum commands to simplify validation. That format is "". With the checksum in that format, running "md5sum --check

Re: [VOTE] Incorporate SHA256 part of release process

Fair enough. OpenSSL is pretty universal, but there are also OS-specific commands to perform the same task. Andy LoPresto alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Apr 13, 2016, at 20:13, Aldrin Piri wrote: > >

Re: [VOTE] Incorporate SHA256 part of release process

As far as the wrapper script, I'm in favor of the manual process for the SHA256. The arbitrary shell commands/processes in the Maven build feel too brittle across operating systems and this is multiplied in conjunction with a maintained follow on script(s). Overall would prefer just incurring

Re: [VOTE] Incorporate SHA256 part of release process

Tony, That’s definitely a valid concern that I’m sure benefits all release managers to review. The conversation below is regarding the checksums for data integrity only; not the underlying hash used in the GPG signature process. Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP

Re: [VOTE] Incorporate SHA256 part of release process

I was under the impression not using SHA-1 WAS part of our release, when we were gpg signing (based off of [1]), which I assumed was the preferred form of assuring an artifact was not "bad". However, it looks like it isn't in our checklist to confirm that SHA-1 wasn't used to make the digital

Re: [VOTE] Incorporate SHA256 part of release process

Obviously a +1 for me. With regard to the plugin not supporting it, can’t Maven execute arbitrary Java/shell commands during build [1]? The issue on MINSTALL has been open since December 2012. I understand we might need a script wrapper to handle cross-platform functionality, but this might be

Re: [VOTE] Incorporate SHA256 part of release process

+1 > On Apr 13, 2016, at 6:13 PM, Aldrin Piri wrote: > > This was mentioned in the vote thread for the RC2 release and wanted to > separate it out to keep the release messaging streamlined. As mentioned by > Andy, the MD5 and SHA1 are subject to collisions. From another

Re: [VOTE] Incorporate SHA256 part of release process

+1. I should have done it this time. On Wed, Apr 13, 2016 at 9:13 PM, Aldrin Piri wrote: > This was mentioned in the vote thread for the RC2 release and wanted to > separate it out to keep the release messaging streamlined. As mentioned by > Andy, the MD5 and SHA1 are

[VOTE] Incorporate SHA256 part of release process

This was mentioned in the vote thread for the RC2 release and wanted to separate it out to keep the release messaging streamlined. As mentioned by Andy, the MD5 and SHA1 are subject to collisions. From another viewpoint, I like having this as part of the official release process as I typically