[jira] [Created] (CURATOR-461) Update release artifact production to match new guidelines

Mon, 26 Mar 2018 01:37:37 -0700 

Jordan Zimmerman created CURATOR-461:
----------------------------------------

             Summary: Update release artifact production to match new guidelines
                 Key: CURATOR-461
                 URL: https://issues.apache.org/jira/browse/CURATOR-461
             Project: Apache Curator
          Issue Type: Task
          Components: Apache
    Affects Versions: 4.0.1
            Reporter: Jordan Zimmerman
             Fix For: 4.0.2


>From Apache...

 

The Release Distribution Policy[1] changed regarding checksum files.
  See under "Cryptographic Signatures and Checksums Requirements" [2].

    MD5-file == a .md5 file
    SHA-file == a .sha1, sha256 or .sha512 file

 Old policy :

    -- MUST provide a MD5-file
    -- SHOULD provide a SHA-file [SHA-512 recommended]

 New policy :

    -- MUST provide a SHA- or MD5-file
    -- SHOULD provide a SHA-file
    -- SHOULD NOT provide a MD5-file

    Providing MD5 checksum files is now discouraged for new releases,
    but still allowed for past releases.

 Why this change :

    -- MD5 is broken for many purposes ; we should move away from it.
       [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]

 Impact for PMCs :

    -- for new releases :
       -- please do provide a SHA-file (one or more, if you like)
       -- do NOT provide a MD5-file

    -- for past releases :
       -- you are not required to change anything
       -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
          it would be nice if you removed the MD5-file

    -- if, at the moment, you provide MD5-files,
       please adjust your release tooling.

 Please mail me ([[email protected]|mailto:[email protected]]) if you have any 
questions etc.

 FYI :

  Many projects are not (entirely, strictly) checksum file compliant.
  For an overview/inventory (by project) see :

   [https://checker.apache.org/dist/unsummed.html]

 At the moment :

    -- no checksum : 176 packages in 28 projects ; non-compliant
    -- only MD5    : 495 packages in 44 projects ; update tooling
    -- only SHA    : 135 packages in 13 projects ; now comliant

  In many cases, only a few (among many) checksum file are missing ;
  you may want to fix that.

  [1] [http://www.apache.org/dev/release-distribution]
  [2] [http://www.apache.org/dev/release-distribution#sigs-and-sums]

 Thanks, groeten,



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to