> On Jan 11, 2016, at 7:04 PM, Nitin Lamba <[email protected]> wrote: > > Generating MD5 from the build script sounds like a great idea. > > Maybe I'm off here but doesn't the release signing process need stronger > digest (SHA512)? More info here [1]. >
Good point. > Thanks, > Nitin > [1] http://www.apache.org/dev/release-signing.html#sha-checksum > > ________________________________________ > From: Dan Smith <[email protected]> > Sent: Monday, January 11, 2016 5:29 PM > To: geode > Subject: Re: checksum files for distributions > > Looks pretty good. You could consider just using the ant checksum task > instead of rolling your own: > > ant.checksum file: archive.archivePath > Cool. And use algorithm: sha-256 to set the digest type. > Also, matching on the name of the gradle task seems a little kludgy. Maybe > just use withType > > tasks.withType(Zip) ... > tasks.withType(Tar) … > I was trying to avoid using Zip type since that also hashes every Jar. Jar hashes appear to be generated automatically by Nexus: https://repository.apache.org/content/groups/snapshots/org/apache/geode/gemfire-core/1.0.0-incubating-SNAPSHOT/ <https://repository.apache.org/content/groups/snapshots/org/apache/geode/gemfire-core/1.0.0-incubating-SNAPSHOT/> If there’s a more gradley-way... > On Mon, Jan 11, 2016 at 4:35 PM, Anthony Baker <[email protected]> wrote: > >> The gemfire-assembly build file produces source and binary distributions >> in both tar and zip format. I think we need checksum files (md5 / sha1) in >> order to publish these. I uploaded a patch at >> https://issues.apache.org/jira/browse/GEODE-775. >> >> Please let me know what you think. >> >> Anthony >>
signature.asc
Description: Message signed with OpenPGP using GPGMail
