Suraj Acharya created AVRO-2071: ----------------------------------- Summary: Change of signatures in release Key: AVRO-2071 URL: https://issues.apache.org/jira/browse/AVRO-2071 Project: Avro Issue Type: Improvement Components: build Affects Versions: 1.7.8, 1.9.0, 1.8.3 Reporter: Suraj Acharya Assignee: Suraj Acharya
{quote} Hi PMC, The Release Distribution Policy[1] changed regarding .sha files. See under "Cryptographic Signatures and Checksums Requirements" [2]. Old policy : -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) New policy : -- use .sha1 for a SHA-1 checksum -- use .sha256 for a SHA-256 checksum -- use .sha512 for a SHA-512 checksum -- [*] .sha should contain a SHA-1 Why this change ? -- Verifying a checksum under the old policy is/was not handy. You have to inspect the .sha to find out which algorithm should be used ; or try them all (SHA-1, SHA256, etc). The new scheme avoids this ambiguity. -- The last point[*] was only added for clarity. Most of the old, stale .sha's contain a SHA-1. The relatively new .sha's contain a SHA-512. The expectation is that the last catagory will disappear, when active projects adapt to the 'new' convention. Impact : -- Should be none ; many projects already use the 'new' convention. -- Please ask your release managers to use .sha1, .sha256, .sha512 instead of the .sha extension. -- Please fix your build-tools if you have any. Piggyback : -- The policy requires a .md5 for every package ; providing a .sha512 is recommended. Since MD5 is essentially broken, it is to be expected that in the future a .sha512 will be required. Perhaps it is wize to start providing .sha512's with your releases if you do not already do so. -- Visit http://mirror-vm.apache.org/checker/ to check the health of your /dist/-area ; my stuff ; any feedback is most welcome. Thanks ; regards, Henk Penning [1] http://www.apache.org/dev/release-distribution [2] http://www.apache.org/dev/release-distribution#sigs-and-sums ------------------------------------------------------------ Henk P. Penning ; apache.org infrastructure volunteer. he...@apache.org ; http://mirror-vm.apache.org/~henkp/ {quote} We will need to update the build.sh to conform to these activities. -- This message was sent by Atlassian JIRA (v6.4.14#64029)