Denis, Currently we provide md5 and sha512 [1]. Should we just get rid of md5?
[1] https://www.apache.org/dist/ignite/2.6.0/ сб, 18 авг. 2018 г. в 3:51, Denis Magda <[email protected]>: > Peter, Anton V, Igniters, > > The board communicated the following release policy changes: > -- for new releases : > -- you MUST supply a SHA-256 and/or SHA-512 file > -- you SHOULD NOT supply MD5 or SHA-1 files > > Are we good? More details are below. > > > > > *2 Release Dist Policy Changes (Q? [email protected]) > ----------------------------------------------------------------------- > > The Release Distribution Policy[1] changed regarding checksum files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ; > not just emphasized words ; for an explanation see RFC-2119 [3]. > > Old policy : > > -- SHOULD supply a SHA checksum file > -- SHOULD NOT supply a MD5 checksum file > > New policy : > > -- SHOULD supply a SHA-256 and/or SHA-512 checksum file > -- SHOULD NOT supply MD5 or SHA-1 checksum files > > Why this change ? > > -- Like MD5, SHA-1 is too broken ; we should move away from it. > > Impact for PMCs : > > -- for new releases : > -- you MUST supply a SHA-256 and/or SHA-512 file > -- you SHOULD NOT supply MD5 or SHA-1 files > > -- for past releases : > -- you are not required to change anything ; > -- it would be nice if you fixed your dist area ; > start with : cleanup ; rename .sha's ; remove .md5's >
