No, I was more after our own release signing practices. And me as the RM for the last is to blame to not raising this earlier. We're still using md5 and sha1 to sign our releases. And I am proposing to switch to sha512, starting from 1.1 and on.
Cos On Sat, Oct 10, 2015 at 08:23PM, Olaf Flebbe wrote: > Hi Cos, > > What signatures are targeting specifically ? > > org.apache.hadoop.io.MD5Hash and its usage? > > or > > something like > > bigtop-packages/src/deb/hama/rules: dh_md5sums > bigtop-packages/src/common/pig/do-component-build: echo > "ea58a078e3861d4dfc8bf3296a53a5f8 apache-forrest-0.9.tar.gz" > >apache-forrest-0.9.tar.md5 > bigtop-packages/src/common/pig/do-component-build: if ! md5sum -c --quiet > apache-forrest-0.9.tar.md5 ; then > > or ??? > > Olaf > > > Am 09.10.2015 um 23:02 schrieb Konstantin Boudnik <[email protected]>: > > > > Guys, > > > > We had to get rid of md5 sum long time ago, but it seems that sha1 is > > hitting > > the wall as well. Here's the good description of the problem: > > https://sites.google.com/site/itstheshappening/ > > > > I'd suggest to scrape both of them in the next release. Any objections? > > > > Cos > > >
