On Mon, Mar 5, 2018 at 8:51 AM, Rob Tompkins <[email protected]> wrote:
> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull > that back in leu of adding sha512 and removing sha1, md5? I haven’t > promoted the RC yet. > I would move the release along, then consider how do implement with the new policy in a subsequent release. Gary > > -Rob > > > On Mar 5, 2018, at 10:27 AM, Gary Gregory <[email protected]> > wrote: > > > > Rob: How does this affect your release plugin? > > > > Gary > > ---------- Forwarded message ---------- > > From: Henk P. Penning <[email protected] <mailto:[email protected]>> > > Date: Mon, Mar 5, 2018 at 4:18 AM > > Subject: checksum file Release Distribution Policy > > To: [email protected] <mailto:[email protected]> > > > > > > Hi Pmcs, > > > > The Release Distribution Policy[1] changed regarding checksum files. > > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > > > MD5-file == a .md5 file > > SHA-file == a .sha1, sha256 or .sha512 file > > > > Old policy : > > > > -- MUST provide a MD5-file > > -- SHOULD provide a SHA-file [SHA-512 recommended] > > > > New policy : > > > > -- MUST provide a SHA- or MD5-file > > -- SHOULD provide a SHA-file > > -- SHOULD NOT provide a MD5-file > > > > Providing MD5 checksum files is now discouraged for new releases, > > but still allowed for past releases. > > > > Why this change : > > > > -- MD5 is broken for many purposes ; we should move away from it. > > https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues > > > > Impact for PMCs : > > > > -- for new releases : > > -- please do provide a SHA-file (one or more, if you like) > > -- do NOT provide a MD5-file > > > > -- for past releases : > > -- you are not required to change anything > > -- for artifacts accompanied by a SHA-file /and/ a MD5-file, > > it would be nice if you removed the MD5-file > > > > -- if, at the moment, you provide MD5-files, > > please adjust your release tooling. > > > > Please mail me ([email protected]) if you have any questions etc. > > > > FYI : > > > > Many projects are not (entirely, strictly) checksum file compliant. > > For an overview/inventory (by project) see : > > > > https://checker.apache.org/dist/unsummed.html > > > > At the moment : > > > > -- no checksum : 176 packages in 28 projects ; non-compliant > > -- only MD5 : 495 packages in 44 projects ; update tooling > > -- only SHA : 135 packages in 13 projects ; now comliant > > > > In many cases, only a few (among many) checksum file are missing ; > > you may want to fix that. > > > > [1] http://www.apache.org/dev/release-distribution > > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > Thanks, groeten, > > > > Henk Penning -- apache.org infrastructure ; dist & mirrors. > > > > ------------------------------------------------------------ _ > > Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ > > Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ > > Leuvenlaan 4, 3584CE Utrecht, NL > > <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+ > NL&entry=gmail&source=g <https://maps.google.com/?q= > Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>> > > F +31 30 253 4553 \_/ \_/ > > http://www.staff.science.uu.nl/~penni101/ <http://www.staff.science.uu. > nl/~penni101/> M [email protected] <mailto:[email protected]> \_/ > >
