[
https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855449#comment-15855449
]
Martin Grigorov commented on WICKET-6074:
-----------------------------------------
I fully agree with Maxim!
The verification should be automated. No one should spend his time on doing all
this manually!
The real problem is that no one even checks those now!
One month ago Henk Penning's scripts found problems in Wicket's checksums!
If there is a way to make automated checks with gpg then let's document it,
otherwise let's switch to md5sum and sha256sum!
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
> Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release:
> http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz >
> target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related
> purposes. Instead, better use an SHA-2 algorithm, implemented in the
> programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to
> make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
