Hi Marlon, The source release is automatically signed by maven gpg pluggin which has default sha1 160 bit encryption. We manually have to sign the binary release with command line tools and use stronger encryption, hence the discrepancy [1]. May be there is a way to configure maven plugging to use sha-2 512 bit encryption but haven't explored it.
Suresh [1] -http://incubator.apache.org/airavata/development/release-management.html On Jun 4, 2012, at 5:28 PM, Marlon Pierce wrote: > Why is the source release digested with SHA1 (I guess)? See > http://people.apache.org/builds/incubator/airavata/0.3-incubating/RC1/. The > zip and tar use SHA512. > > > Marlon > > > On 6/4/12 1:19 AM, Suresh Marru wrote: > > Discussion thread for vote on airavata 0.3-incubating release candidate 1. > > > > If you have any questions or feedback or to post results of validating the > > release, please reply to this thread. Once you verify the release, please > > post your vote to the VOTE thread. > > > > For reference, the Apache release guide - > > http://www.apache.org/dev/release.html > > Incubator specific release guidelines - > > http://incubator.apache.org/guides/releasemanagement.html > > > > Some tips to validate the release before you vote: > > > > * Download the binary version and run the 5 minute or 10 minute tutorial as > > described in README and website. > > * Download the source files from compressed files and release tag and build > > (which includes tests). > > * Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER > > files > > * Verify if all the staged files are signed and the signature is > > verifiable. > > * Verify if the signing key in the project's KEYS file is hosted on a > > public server > > > > Thanks for your time in validating the release and voting, > > Suresh
signature.asc
Description: Message signed with OpenPGP using GPGMail
