[jira] [Comment Edited] (WICKET-6074) Use SHA 256+ for signing the release artefacts

Mon, 06 Feb 2017 00:22:57 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853664#comment-15853664
 ] 

Maxim Solodovnik edited comment on WICKET-6074 at 2/6/17 8:22 AM:
------------------------------------------------------------------

According to Apache rules: 
http://www.apache.org/legal/release-policy.html#release-approval before VOTE +1 
every PMC need to check checksums and signatures
It is extremely hard for Wicket :(
Using sha256sum will improve the process a lot.

Maven can be used to create signatures
GPG - maven-gpg-plugin
sha256 - net.nicoulaj.maven.plugins:checksum-maven-plugin (with 
shasumSummaryFile option)



was (Author: solomax):
According to Apache rules: 
http://www.apache.org/legal/release-policy.html#release-approval before VOTE +1 
every PMC need to check checksums and signatures
It is extremely hard for Wicket :(
Using sha256sum will improve the process a lot.

Maven can be used to create signatures
GPG - maven-gpg-plugin
sha256 - net.ju-n.maven.plugins:checksum-maven-plugin (with shasumSummaryFile 
option)


> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
>                 Key: WICKET-6074
>                 URL: https://issues.apache.org/jira/browse/WICKET-6074
>             Project: Wicket
>          Issue Type: Task
>          Components: release
>    Affects Versions: 6.21.0, 7.2.0
>            Reporter: Martin Grigorov
>            Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release: 
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > 
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
>        The MD5 algorithm should not be used any more for security related 
> purposes.  Instead, better use an SHA-2 algorithm, implemented  in  the  
> programs  sha224sum(1),  sha256sum(1),  sha384sum(1),
>        sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to 
> make it simpler for checking later with "sha256sum -c"



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to