Hi, I am committer of the ASF project Sling which heavily relies on Maven. We obviously have to follow the ASF policy as well to distribute SHA512 or SHA256 checksums along with our source releases. While the first support for this has been made by https://issues.apache.org/jira/browse/MPOM-205 <https://issues.apache.org/jira/browse/MPOM-205> (thanks a lot for that) I am still not supposed to upload the checksums to the ASF Staging Repo (Nexus) because Nexus will not detect those as checksums and will generate sha1 and md5 files for my custom checksum as well.
You guys are basically saying that the sha512 checksum is not supposed to be uploaded to the Staging repo (also in https://issues.apache.org/jira/browse/MINSTALL-138 <https://issues.apache.org/jira/browse/MINSTALL-138>), but then I wonder how to validate a release based on the staging repository? At least the checksum you can no longer (half-automatically) validate. The only way to validate would be to include the checksum as text in the vote email and everyone verifying would need to check against his own build. That is a lot of overhead compared to previously just automatically checking the generated SHA1/MD5 checksums. Also we often have the situation that the release managers are not PMC members and therefore need to ask other people to push to dist. These steps were fairly easy in the past as it was only required to download the staged repo and push that to the according SVN repo. But now it would rather require to check out/clone the tagged release from the SCM and build by your own, which can be pretty time consuming and also makes the staging partly useless. How do you guys at Maven live the ASF release process with SHA512 checksums? The guidelines are https://maven.apache.org/developers/release/maven-project-release-procedure.html <https://maven.apache.org/developers/release/maven-project-release-procedure.html> are a littlebit fuzzy in that regard. Thanks in advance for any input, Konrad
