[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853895#comment-15853895
]
Martijn Dashorst commented on WICKET-6074:
------------------------------------------
Please explain why is it extremely hard and not just hard or merely
inconvenient?
You already need to use gpg to verify the download of the release based on the
private/public key signing. It is one installation (I'd preferably install it
through a package management system like homebrew (macOS) or chocolatey/oneget
(Windows)) away.
You need maven, java, an IDE, etc. to be able to develop with Wicket. GPG is
just one of the tools you need and is available for all platforms, so it is
rather well suited as the default key generator (we already must sign the
release with a GPG key pair) and digest checksum(s).
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
> Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
