Igniters, especially the release managers, Please consider these changes and recommendations for the next release. Do we have any ticket that already takes this into account?
— Denis > Begin forwarded message: > > From: "Henk P. Penning" <[email protected]> > Subject: .sha Release Distribution Policy > Date: August 16, 2017 at 1:55:57 AM PDT > To: <[email protected]> > Reply-To: [email protected] > > Hi PMC, > > The Release Distribution Policy[1] changed regarding .sha files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > Old policy : > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) > > New policy : > > -- use .sha1 for a SHA-1 checksum > -- use .sha256 for a SHA-256 checksum > -- use .sha512 for a SHA-512 checksum > -- [*] .sha should contain a SHA-1 > > Why this change ? > > -- Verifying a checksum under the old policy is/was not handy. > You have to inspect the .sha to find out which algorithm > should be used ; or try them all (SHA-1, SHA256, etc). > The new scheme avoids this ambiguity. > -- The last point[*] was only added for clarity. Most of the > old, stale .sha's contain a SHA-1. The relatively new .sha's > contain a SHA-512. The expectation is that the last catagory will > disappear, when active projects adapt to the 'new' convention. > > Impact : > > -- Should be none ; many projects already use the 'new' convention. > -- Please ask your release managers to use .sha1, .sha256, .sha512 > instead of the .sha extension. > -- Please fix your build-tools if you have any. > > Piggyback : > > -- The policy requires a .md5 for every package ; > providing a .sha512 is recommended. > Since MD5 is essentially broken, it is to be expected that > in the future a .sha512 will be required. > Perhaps it is wize to start providing .sha512's > with your releases if you do not already do so. > > -- Visit http://mirror-vm.apache.org/checker/ > to check the health of your /dist/-area ; > my stuff ; any feedback is most welcome. > > Thanks ; regards, > > Henk Penning > > [1] http://www.apache.org/dev/release-distribution > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > ------------------------------------------------------------ > Henk P. Penning ; apache.org infrastructure volunteer. > [email protected] ; http://mirror-vm.apache.org/~henkp/
