[
https://issues.apache.org/jira/browse/JCR-4378?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16633839#comment-16633839
]
Konrad Windszus commented on JCR-4378:
--------------------------------------
[[email protected]] There are some hard organisational topics if Nexus Staging
cannot be used for fully validating the release:
# During the release vote it is very hard to automatically validate the
checksum if it is not part of the staging repo. You would need to copy this
checksum from the vote mail and rather check it manually.
# It is hard to let non-PMC members do the release as copying over to dist
does not only require to checkout from staging but also manually create the
checksums
([https://maven.apache.org/developers/release/maven-project-release-procedure.html#Copy_the_source_release_to_the_Apache_Distribution_Area).]
> MD5 and SHA1 should no longer be provided on download pages
> ------------------------------------------------------------
>
> Key: JCR-4378
> URL: https://issues.apache.org/jira/browse/JCR-4378
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Reporter: Sebb
> Assignee: Julian Reschke
> Priority: Major
>
> As the subject says: SHA1 is deprecated and should no longer be linked from
> download pages.
> New releases should have sha256 and/or sha512 hashes instead.
> If a historic release only has a SHA1 hash, that can be retained, but ideally
> it can be replaced with a better sha256/512 one.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
