On Tue, 3 Sep 2019 at 19:36, Vladimir Sitnikov <[email protected]> wrote: > > >but isn't it a bit different in semantics to > >the current checksum based validation? > > Exactly. It is a different semantics. > The case here is I do not know the intention behind use of SHA-512 in > JMeter build.
As I recall, MD5 hashes of jars were originally added to ensure that the jars were correctly downloaded. There may also have been some cases where different versions of jars did not have different names. > >Do you think this is a problem? > > I'm inclined that PGP is good enough. > For instance, JMeter publishes 20 or so jars to Nexus, and we never publish > "the official" SHA-512 checksums. AFAIK, that's only because Nexus does not yet support SHA-512. There are plans to enable that. > >but isn't it a bit different in semantics > > There's yet another option: we could use both PGP+SHA for verification. > It won't make dependency updates easier, however it would simplify review. However using PGP to check downloaded jars means users have to install pgp and fetch the KEYS. This is additional work for users. Also using the PGP key would not distinguish the case where different versions of the jar have the same name. I agree it's not likely, but it's also not impossible. Using the key is a neat idea, but I don't think the advantages outweigh the disadvantages. > Vladimir
