Interesting re the sha. The updates regarding sha naming are pretty recent - last 6months or so.
So, they’re just wrong / not compatible with the real world and/or nexus generated info? Actually, I suspect it’s OK to just ignore nexus with respect to this - i.e., it has it’s own naming scheme and this ASF scheme is just for the source release repo. “sha” is compatible with this directive so we can leave it as. http://www.apache.org/dev/release-distribution#sigs-and-sums <http://www.apache.org/dev/release-distribution#sigs-and-sums> Thanks — Dale > On Dec 7, 2017, at 4:00 AM, Christofer Dutz <christofer.d...@c-ware.de> wrote: > > Hi Dale, > > I added the zip and then noticed that the tag.gz did have some “next” and > “current” pom copies inside. So, I had a look at my original and they didn’t > have them, so I updated the tar.gz and its hashes. > > Also, I did rename the sha512 back to sha as SHA is the algorithm … you > usually encounter SHA, SHA1 or SHA2, but never SHA512 in the wild. > > Regarding the hashes in Nexus: We shouldn’t change this, as these are the > hashes Maven works with. If we change this, it could be that the artifacts > are no longer accessible. The build isn’t generating them anyway but Nexus > generates them automatically. So I guess even if we wanted to change things, > we couldn’t. > > Chris > > > > Am 06.12.17, 23:55 schrieb "Dale LaBossiere" <dml.apa...@gmail.com>: > > Agreed on all points regarding the zip. > > Since you offered, I updated the scripts to require it and the sha512 > noted below :-) > The verification includes verifying the tar.gz and zip contents are the > same. > > On another topic, [1] says the suffix MUST be sha512 for a SHA 512 sum > (which in fact is what the file contains) > apache-edgent-1.2.0-incubating-source-release.tar.gz.sha1 > > So that needs be changed in the staging area in addition to staging the > zip and its sums/sig. > > Thanks! > — Dale > > [1] http://www.apache.org/dev/release-distribution#sigs-and-sums > >> On Dec 6, 2017, at 2:35 PM, Christofer Dutz <christofer.d...@c-ware.de> >> wrote: >> ... >> I just had a look at what the script was looking for. If releasing tar and >> zip i think we would have to do the checking for both types. I can add the >> other zip easily. But in that Case i would suggest adding that to the script >> and add one check to make sure the content is identical. Would be good If we >> could be sure we need to detail-check only one. >> ... >> From: Dale LaBossiere <dml.apa...@gmail.com> >> ... >> -Papache-release also generates a zip. I had expected we’d be releasing >> that too but it isn’t staged. >> At this time I’m fine if we just continue 1.2.0 with only the tar.gz but if >> you also want to stage the zip that's fine too. >> >> I just need to know which way we’re going because I need to adjust the >> “downloads” website page accordingly. > > >
