[
https://issues.apache.org/jira/browse/JCR-4378?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16633785#comment-16633785
]
Bertrand Delacretaz commented on JCR-4378:
------------------------------------------
FYI we've also be looking at this for the Sling project and it looks like Maven
and/or repository.apache.org get in the way depending on your release process.
We're following up at SLING-7534, just wanted to mention this to avoid
duplication of efforts.
Note also that http://www.apache.org/dev/release-distribution#sigs-and-sums
initially said that we MUST NOT include md5 digests anymore, but that was later
changed to SHOULD NOT, due to those tooling issues IIUC.
> MD5 and SHA1 should no longer be provided on download pages
> ------------------------------------------------------------
>
> Key: JCR-4378
> URL: https://issues.apache.org/jira/browse/JCR-4378
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Reporter: Sebb
> Assignee: Julian Reschke
> Priority: Major
>
> As the subject says: SHA1 is deprecated and should no longer be linked from
> download pages.
> New releases should have sha256 and/or sha512 hashes instead.
> If a historic release only has a SHA1 hash, that can be retained, but ideally
> it can be replaced with a better sha256/512 one.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
