As will all things Maven and Central, we must consider the long tail of versions in use. It's not going to work to flip a switch and fork the community over updated hashes. Instead the role of Maven here should be first to enable the new hashes but it shouldn't blow up if a given upstream tool can't consume or produce the new hashes.
We were planning on doing some full system walks and validations on Central in the near future for different reasons, I'll see if it's possible to generate new hashes at the same time. I would only want to publish updated sha2 hashes if the original sha1 hash was proper, I don't think burying the broken hash is a good idea without subsequent investigation. On Sun, May 31, 2020 at 4:51 PM Michael Osipov <micha...@apache.org> wrote: > > Am 2020-05-31 um 17:19 schrieb Robert Scholte: > > hi, > > > > I would be great if Sonatype could lead this request. > > It seems like a similar process compared to the TLSv1.2 requirement and the > > drop of http > > They have the best overview in how to handle the switch to different hashes. > > You can already start with #1, but until then I would be careful with #2 > > #2 can't be done w/o careful planning. That's clear. > Who's the right contact at Sonatype? Brian Fox? > > > > On 31-5-2020 16:58:58, Michael Osipov <micha...@apache.org> wrote: > > Folks, > > > > I have been recently (indirectly) approached by Mark Thomas for the > > Tomcat committers that he wants to provide SHA-2 hashes for all uploaded > > Tomcat artifacts in Central. Since Nexus 2.14.18 supports this properly > > for validation, I have picked up MRESOLVER-56 and asked for testing. > > > > I'd like also to discuss two proposals for the Maven community: > > 1. Introduce SHA-2 support in Maven Resolver 1.4.3 which will go into > > Maven 3.7.0 > > 2. Deprecate MD5 and SHA-1 with that release and make them obsolete with > > Maven 4.0 and Maven Resolver 2.0 which will include package change also. > > > > > > Those proposals have the following greater implications: > > 1. > > * Certain repo managers might reject hashes, they don't know. As did > > Nexus on repository.a.o. > > * This will incur two more requests with each upload and download. In > > the latter, it will fail with 404 because most repo managers won't have > > SHA-2 hashes. So fails Central for now. (will be solved with 2.) > > > > 2. > > * All repo managers will need to > > ** rehash all current content to provide SHA-2 hashes > > ** Require SHA-2 hashes to be uploaded > > ** Reject MD5 and SHA-1 hashes > > * Old tools will fail because MD5 and SHA-1 hashes are gone: > > ** Uploads will be rejected > > ** Strict download validation will fail > > > > Please comment. I will also provide a draft PR soon. > > I can cast two formal votes if required. > > > > Michael > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
