[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15108714#comment-15108714
]
Martin Grigorov commented on WICKET-6074:
-----------------------------------------
Using the non-gpg programs to create the .md5 and .sha files helps with the
verification.
Using non-standard way, like GPG, makes it cumbersome to verify. And I guess
this is part of the reason why no one even checks this during voting.
Now Maxim tried to verify it and it failed for him.
I don't see why to keep using GPG digests even if they are very common in
Apache projects.
Even the .sha name should be renamed to .sha1 or .sha256 or whatever algorithm
is used. Otherwise I have to try all of the possible options to be able to
verify it.
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
> Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
