osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New release distribution checksum policy


On 24 August 2018 at 14:13, Benedikt Ritter <britter@xxxxxxxxxx> wrote:
> Hi Thomas,
>
> Am Fr., 24. Aug. 2018 um 13:13 Uhr schrieb Thomas Vandahl <tv@xxxxxxxxxx>:
>
>> Hi Benedikt,
>>
>> On 23.08.18 18:25, Benedikt Ritter wrote:
>> > Am Do., 23. Aug. 2018 um 09:16 Uhr schrieb Thomas Vandahl <tv@xxxxxxxxxx
>> >:
>> >
>> >> Shall we use this for commons-parent?
>> >>
>> >
>> > Sounds reasonable to me.
>>
>> If I'm not mistaken, the requirement for SHA-512 checksums only exists
>> for the source distribution, not the binaries. At least this is what I
>> derive from Hervés implementation in Apache Parent 21. However, the
>> plugin configuration only kicks in, if the source release artifact name
>> ends with "-source-release.[zip|tar*]" From what I see in the latest
>> votes, Apache Commons uses another naming scheme (I do, too). Shall we
>> adapt?
>>
>
> What do you mean? Adapt our artifact naming scheme or adapt what Apache
> Parent 21 does? Since SHA-512 checksums are required now, we need to find a
> way to implement this :-) I'm not sure what's the best way for that right
> now. What do others think?

If it really is the case that the Apache Parent POM only creates the
checksums for artifacts with a specific name, then IMO it is badly
broken and needs a bug report.

All artifacts that linked from the page must have sigs and hashes, and
these must not be MD5 or SHA1.

See:
https://www.apache.org/dev/release-distribution#sigs-and-sums

Note that it says:
"For every artifact distributed to the public through Apache channels,
the PMC..."

Since we distribute the binaries, they must have SHA256+

> Benedikt
>
>
>>
>> Bye, Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
>> For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx