Hello Brooklyn developers, Forwarding for general interest, note a change in the Apache policy for checksums as per the email below. We should update our release make scripts accordingly before our next release.
Geoff ---------- Forwarded message --------- From: Henk P. Penning <[email protected]> Date: Mon, 5 Mar 2018 at 11:19 Subject: checksum file Release Distribution Policy To: <[email protected]> Hi Pmcs, The Release Distribution Policy[1] changed regarding checksum files. See under "Cryptographic Signatures and Checksums Requirements" [2]. MD5-file == a .md5 file SHA-file == a .sha1, sha256 or .sha512 file Old policy : -- MUST provide a MD5-file -- SHOULD provide a SHA-file [SHA-512 recommended] New policy : -- MUST provide a SHA- or MD5-file -- SHOULD provide a SHA-file -- SHOULD NOT provide a MD5-file Providing MD5 checksum files is now discouraged for new releases, but still allowed for past releases. Why this change : -- MD5 is broken for many purposes ; we should move away from it. https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues Impact for PMCs : -- for new releases : -- please do provide a SHA-file (one or more, if you like) -- do NOT provide a MD5-file -- for past releases : -- you are not required to change anything -- for artifacts accompanied by a SHA-file /and/ a MD5-file, it would be nice if you removed the MD5-file -- if, at the moment, you provide MD5-files, please adjust your release tooling. Please mail me ([email protected]) if you have any questions etc. FYI : Many projects are not (entirely, strictly) checksum file compliant. For an overview/inventory (by project) see : https://checker.apache.org/dist/unsummed.html At the moment : -- no checksum : 176 packages in 28 projects ; non-compliant -- only MD5 : 495 packages in 44 projects ; update tooling -- only SHA : 135 packages in 13 projects ; now comliant In many cases, only a few (among many) checksum file are missing ; you may want to fix that. [1] http://www.apache.org/dev/release-distribution [2] http://www.apache.org/dev/release-distribution#sigs-and-sums Thanks, groeten, Henk Penning -- apache.org infrastructure ; dist & mirrors. ------------------------------------------------------------ _ Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ Faculty of Science, Utrecht University T +31 30 253 4106 <+31%2030%20253%204106> / \_/ \ Leuvenlaan 4, 3584CE Utrecht, NL <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g> F +31 30 253 4553 <+31%2030%20253%204553> \_/ \_/ http://www.staff.science.uu.nl/~penni101/ M [email protected] \_/
