Yup, good idea: let the gpg deal with it. I will go ahead and update the release wiki then
Thanks, Cos On Sun, Oct 11, 2015 at 11:04AM, Andrew Purtell wrote: > Over on HBase we use gpg to produce at once a sums file using several > algorithms, including strong ones, fwiw: > $ for i in *.tar.gz; do echo $i; gpg --print-mds $i > $i.mds ; done > > > On Oct 10, 2015, at 11:44 AM, Konstantin Boudnik <[email protected]> wrote: > > > > No, I was more after our own release signing practices. And me as the RM for > > the last is to blame to not raising this earlier. We're still using md5 and > > sha1 to sign our releases. And I am proposing to switch to sha512, starting > > from 1.1 and on. > > > > Cos > > > >> On Sat, Oct 10, 2015 at 08:23PM, Olaf Flebbe wrote: > >> Hi Cos, > >> > >> What signatures are targeting specifically ? > >> > >> org.apache.hadoop.io.MD5Hash and its usage? > >> > >> or > >> > >> something like > >> > >> bigtop-packages/src/deb/hama/rules: dh_md5sums > >> bigtop-packages/src/common/pig/do-component-build: echo > >> "ea58a078e3861d4dfc8bf3296a53a5f8 apache-forrest-0.9.tar.gz" > >> >apache-forrest-0.9.tar.md5 > >> bigtop-packages/src/common/pig/do-component-build: if ! md5sum -c > >> --quiet apache-forrest-0.9.tar.md5 ; then > >> > >> or ??? > >> > >> Olaf > >> > >>> Am 09.10.2015 um 23:02 schrieb Konstantin Boudnik <[email protected]>: > >>> > >>> Guys, > >>> > >>> We had to get rid of md5 sum long time ago, but it seems that sha1 is > >>> hitting > >>> the wall as well. Here's the good description of the problem: > >>> https://sites.google.com/site/itstheshappening/ > >>> > >>> I'd suggest to scrape both of them in the next release. Any objections? > >>> > >>> Cos > > > >
signature.asc
Description: Digital signature
