Le 16 août 2017 11:00:31 GMT+02:00, Niclas Hedhman <[email protected]> a écrit : >Relevant? >---------- Forwarded message ---------- >From: "Henk P. Penning" <[email protected]> >Date: Aug 16, 2017 10:56 >Subject: .sha Release Distribution Policy >To: <[email protected]> >Cc: > >Hi PMC, > > The Release Distribution Policy[1] changed regarding .sha files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > Old policy : > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) > > New policy : > > -- use .sha1 for a SHA-1 checksum > -- use .sha256 for a SHA-256 checksum > -- use .sha512 for a SHA-512 checksum > -- [*] .sha should contain a SHA-1 > > Why this change ? > > -- Verifying a checksum under the old policy is/was not handy. > You have to inspect the .sha to find out which algorithm > should be used ; or try them all (SHA-1, SHA256, etc). > The new scheme avoids this ambiguity. > -- The last point[*] was only added for clarity. Most of the > old, stale .sha's contain a SHA-1. The relatively new .sha's > contain a SHA-512. The expectation is that the last catagory will > disappear, when active projects adapt to the 'new' convention. > > Impact : > > -- Should be none ; many projects already use the 'new' convention. > -- Please ask your release managers to use .sha1, .sha256, .sha512 > instead of the .sha extension. > -- Please fix your build-tools if you have any. > > Piggyback : > > -- The policy requires a .md5 for every package ; > providing a .sha512 is recommended. > Since MD5 is essentially broken, it is to be expected that > in the future a .sha512 will be required. > Perhaps it is wize to start providing .sha512's > with your releases if you do not already do so. > > -- Visit http://mirror-vm.apache.org/checker/ > to check the health of your /dist/-area ; > my stuff ; any feedback is most welcome. > > Thanks ; regards, > > Henk Penning > > [1] http://www.apache.org/dev/release-distribution > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > >------------------------------------------------------------ >Henk P. Penning ; apache.org infrastructure volunteer. >[email protected] ; http://mirror-vm.apache.org/~henkp/
Yes it is. Actually we use a 'SHA-512' extension and we should change it to 'sha512' according to the new policy. I'm on my phone, Niclas, would you mind creating an issue and assign it to me?
