Hi JB, I am pretty sure it is a strong requirement. For all of our last releases, the announcement mail got bounced back, because we didn't provide those hashes.
They are also listed on the "verify" page: https://www.apache.org/info/verification.html It is also required for "release download pages": https://infra.apache.org/release-download-pages.html Although the current version does not mention hashes anymore (the previous version did). - Ben Am Do., 3. März 2022 um 08:03 Uhr schrieb Jean-Baptiste Onofré <[email protected]>: > > Hi, > > From an Apache standpoint, there are no strong requirements with a particular > hash, but it's required to have any mechanism to verify source artifacts. > So, as it's an easy fix, I agree that it would be better to cancel this vote > to include sha512 hash on source artifacts. > > Regards > JB > > On Wed, Mar 2, 2022 at 9:44 PM Benjamin Marwell <[email protected]> wrote: >> >> -1, sadly, because: >> >> [SHIRO-838] - Create SHA512-Hashes >> >> They are not attached. >> However, those hashes are required by the ASF (sha256 and sha512 to be >> exact). >> We currently have none of those attached. >> >> François and I found out we were using an outdated version of the Apache >> parent pom. >> >> So we need to: >> 1. Update to a later Apache parent pom >> 2. Add sha256 in the configuration >> >> This shouldn't be much work though. >> >> - Ben >> >> On Wed, 2 Mar 2022, 09:17 Francois Papon, <[email protected]> >> wrote: >> >> > This is a call to vote in favor of releasing Apache Shiro version 1.9.0. >> > >> > We solved 20 issues for 1.9.0: >> > >> > >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12350639 >> > < >> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310950&version=12350639 >> > > >> > >> > Bug >> > >> > [SHIRO-829] - beanPostProcessor and FactoryBean cause aop to fail in >> > the same Configuration >> > [SHIRO-845] - Dependencies for test-jars missing >> > >> > Improvement >> > >> > [SHIRO-804] - Avoid conflicts with spring boot aop >> > [SHIRO-836] - Delete jsecurty-sample.jks >> > [SHIRO-838] - Create SHA512-Hashes >> > [SHIRO-846] - Creation of site takes very long time >> > [SHIRO-848] - Relative Path in pom.xml is not needed >> > [SHIRO-850] - The profile name jdk19-plus is misleading >> > [SHIRO-851] - Handling properties for compile/enconding vs. default >> > configurations of plugins >> > [SHIRO-852] - Configuration for maven-release-plugin prepationGoal >> > should be changed >> > [SHIRO-853] - Versions of maven-surefire/failsafe/report plugin are >> > not in sync >> > [SHIRO-854] - Konfiguration includes/excludes maven-failsafe-plugin >> > can be reduced to default >> > [SHIRO-860] - update logback to 1.2.10 >> > [SHIRO-862] - Replace Google Analytics with Matomo for new Javadocs >> > >> > Task >> > >> > [SHIRO-841] - NullPointerException from >> > SessionsSecurityManager.start() >> > [SHIRO-867] - Skip Deployment of integration-test and samples >> > artifacts >> > >> > Dependency upgrade >> > >> > [SHIRO-828] - aspectj-maven-plugin 1.14.0 >> > [SHIRO-842] - shiro-web depends on older log4j >> > [SHIRO-843] - Update maven-project-info-reports >> > [SHIRO-844] - Update maven-javadoc-plugin to 3.3.1 >> > >> > >> > The source to be voted upon: >> > https://github.com/apache/shiro/tree/shiro-root-1.9.0-release-vote1 >> > >> > Staging repo for binaries: >> > https://repository.apache.org/content/repositories/orgapacheshiro-1038 >> > >> > Project website (just for informational purposes, not to be voted upon): >> > http://shiro.apache.org/ >> > >> > Guide to testing staged releases: >> > http://maven.apache.org/guides/development/guide-testing-releases.html >> > >> > Vote open for 72 hours. Please examine the source and binaries before >> > voting. >> > >> > [ ] +1 >> > [ ] +0 >> > [ ] -1 (please include reasoning) >> > >> >
