[ https://issues.apache.org/jira/browse/OOZIE-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Kanter updated OOZIE-3189: --------------------------------- Description: Apache has updated it's policy on the release signatures, as per it's website [here|https://www.apache.org/dev/release-distribution#sigs-and-sums] and a recent email. Basically, all future releases should be providing a sha512 checksum instead of an md5 one. There are two tasks: # Update the release script to use sha512 instead of md5 [https://github.com/apache/oozie/blob/master/bin/create-release-artifact#L71] [https://www.apache.org/dev/release-signing#sha-checksum] # Update the wiki (requires committer/pmc permissions?) [https://cwiki.apache.org/confluence/display/OOZIE/How+To+Release] While we're updating the wiki, we should add details on: # Making sure the gpg key used for signing releases is 4096 bit RSA # Publishing your gpg public key to a key server ([https://www.apache.org/dev/release-signing#keyserver]) was: Apache has updated it's policy on the release signatures, as per it's website [here|https://www.apache.org/dev/release-distribution#sigs-and-sums] and a recent email. Basically, all future releases should be providing a sha512 checksum instead of an md5 one. There are two tasks: # Update the release script to use sha512 instead of md5 [https://github.com/apache/oozie/blob/master/bin/create-release-artifact#L71] # Update the wiki (requires committer/pmc permissions?) [https://cwiki.apache.org/confluence/display/OOZIE/How+To+Release] While we're updating the wiki, we should add details on: # Making sure the gpg key used for signing releases is 4096 bit RSA # Publishing your gpg public key to a key server ([https://www.apache.org/dev/release-signing#keyserver]) > Update the release script and wiki page to use sha512 instead of md5 > -------------------------------------------------------------------- > > Key: OOZIE-3189 > URL: https://issues.apache.org/jira/browse/OOZIE-3189 > Project: Oozie > Issue Type: Improvement > Components: scripts > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Major > Fix For: 5.0.0 > > > Apache has updated it's policy on the release signatures, as per it's website > [here|https://www.apache.org/dev/release-distribution#sigs-and-sums] and a > recent email. Basically, all future releases should be providing a sha512 > checksum instead of an md5 one. > There are two tasks: > # Update the release script to use sha512 instead of md5 > [https://github.com/apache/oozie/blob/master/bin/create-release-artifact#L71] > [https://www.apache.org/dev/release-signing#sha-checksum] > # Update the wiki (requires committer/pmc permissions?) > [https://cwiki.apache.org/confluence/display/OOZIE/How+To+Release] > While we're updating the wiki, we should add details on: > # Making sure the gpg key used for signing releases is 4096 bit RSA > # Publishing your gpg public key to a key server > ([https://www.apache.org/dev/release-signing#keyserver]) -- This message was sent by Atlassian JIRA (v7.6.3#76005)