Yes, let’s just remove md5. Will you create the ticket and handle this for 2.7?
Denis On Monday, August 20, 2018, Anton Vinogradov <[email protected]> wrote: > Denis, > > Currently we provide md5 and sha512 [1]. > Should we just get rid of md5? > > [1] https://www.apache.org/dist/ignite/2.6.0/ > > сб, 18 авг. 2018 г. в 3:51, Denis Magda <[email protected]>: > >> Peter, Anton V, Igniters, >> >> The board communicated the following release policy changes: >> -- for new releases : >> -- you MUST supply a SHA-256 and/or SHA-512 file >> -- you SHOULD NOT supply MD5 or SHA-1 files >> >> Are we good? More details are below. >> >> >> >> >> *2 Release Dist Policy Changes (Q? [email protected]) >> ----------------------------------------------------------------------- >> >> The Release Distribution Policy[1] changed regarding checksum files. >> See under "Cryptographic Signatures and Checksums Requirements" [2]. >> >> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ; >> not just emphasized words ; for an explanation see RFC-2119 [3]. >> >> Old policy : >> >> -- SHOULD supply a SHA checksum file >> -- SHOULD NOT supply a MD5 checksum file >> >> New policy : >> >> -- SHOULD supply a SHA-256 and/or SHA-512 checksum file >> -- SHOULD NOT supply MD5 or SHA-1 checksum files >> >> Why this change ? >> >> -- Like MD5, SHA-1 is too broken ; we should move away from it. >> >> Impact for PMCs : >> >> -- for new releases : >> -- you MUST supply a SHA-256 and/or SHA-512 file >> -- you SHOULD NOT supply MD5 or SHA-1 files >> >> -- for past releases : >> -- you are not required to change anything ; >> -- it would be nice if you fixed your dist area ; >> start with : cleanup ; rename .sha's ; remove .md5's >> >
