On 12/12/2019 15:24, Shawn McKinney wrote:
On Dec 11, 2019, at 4:33 PM, Emmanuel Lécharny <[email protected]> wrote:
One remark : MD5 and SHA1 should not anymore be used to sign packages. The
other Directory projects are now signing everything with ASC, SHA256 and
SHA512. You can re-sign the packages and push the signatures on the repo.
Ah, in the staging repo, yes you’re right, and it’s closed, meaning will have
to rerun the release.
Not necessarily. You can sign the package that you are uploading and
replace the one you have uploaded.
You are not modifying the packages, you just add some sigs.
Speaking of, this step:
mvn -Papache-release release:perform
Signs and uploads the packages to the maven repo. I’m guessing the wrong
version referenced by parent pom’s apache-release profile?
I'm not keeping anything signed by maven, I'm using my own signing
script (see
http://directory.apache.org/api/developer-guide.html#sign-the-packages)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
