[
https://issues.apache.org/jira/browse/LUCENE-8493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16628840#comment-16628840
]
Jan Høydahl commented on LUCENE-8493:
-------------------------------------
In the 5_5 branch I duplicated the changes entry under both 7.6.0 and 7.5.1. So
if 7.6 is released instead of or before 7.5.1 then all is correct. However, if
7.5.1 is releases before 7.6.0 and 8.0.0 then we need to include this issue in
the 7.5.1 section on those branches as well. But I think that is part of the
pre-release job anyway.
> Stop publishing .sha1 files with releases
> -----------------------------------------
>
> Key: LUCENE-8493
> URL: https://issues.apache.org/jira/browse/LUCENE-8493
> Project: Lucene - Core
> Issue Type: Task
> Components: -tools
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Labels: build, release, security, sha1sum
> Fix For: 7.5.1, 7.6, master (8.0)
>
> Attachments: LUCENE-8493.patch
>
>
> In LUCENE-7935 we added {{.sha512}} checksums to releases and removed
> {{.md5}} files.
> According to the Release Distribution Policy
> ([http://www.apache.org/dev/release-distribution#sigs-and-sums)]:
> {quote}For every artifact distributed to the public through Apache channels,
> the PMC
> MUST supply a valid OpenPGP-compatible ASCII-armored detached signature file
> MUST supply at least one checksum file
> SHOULD supply a SHA-256 and/or SHA-512 checksum file
> *SHOULD NOT supply a MD5 or SHA-1 checksum file* (because these are
> deprecated)
> {quote}
> So this Jira will stop publishing .sha1 files, leaving only the .sha512
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
