FYI - About 6 hours prior to this email Alex asked Henk on users@infra about the ant tooling that produces nonconforming extensions. I’m not sure that’s the correct list, but he is looking into correcting the issue that Justin brought to our attention.
Regards, Dave Sent from my iPhone > On Mar 13, 2018, at 10:48 PM, Niclas Hedhman <nic...@hedhman.org> wrote: > > It may be that everyone is ignoring Justin, so I thought I would provide > the link; http://www.apache.org/dev/release-distribution.html#sigs-and-sums > > <quote> > The names of signature and checksum files *MUST* be formed by adding to the > name of the artifact the following suffixes: > > .asc for a (ASCII armored) PGP signature > .sha1 for a SHA-1 checksum > .sha256 for a SHA-256 checksum > .sha512 for a SHA-512 checksum > </quote> > > This is not the case for https://dist.apache.org/repos/ > dist/dev/royale/0.9.2/rc2 > <https://dist.apache.org/repos/dist/dev/royale/0.9.2/rc2/apache-royale-0.9.2-src.zip> > > I also can't easily find the KEYS file that MUST be published on website > (typically on download page, otherwise in repository root). > > > You WILL get a friendly correction from someone in Infra, probably Henk > Penning, who is the long standing (for decades) security/crypto pillar of > the foundation. It is a lot easier to simply change the file name according > before that. > > > HTH & Cheers > Niclas > > > > On Wed, Mar 14, 2018 at 5:56 AM, Justin Mclean <jus...@classsoftware.com> > wrote: > >> Hi, >> >> The sha files have the wrong extension, I mentioned that some time ago >> here. [1] The extension maters due to how hashes and the mirror system >> interact. >> >> They can be easily renamed to be correct (i.e.ending in .sha512 not >> .SHA-512) and there’s no need to revote/make another RC due to this. >> >> Thanks, >> Justin >> >> 1. https://lists.apache.org/thread.html/dbe6370c0a088be60b2f28ac05819c >> 89e4cc5b688ecbe82fc00fe73c@%3Cdev.royale.apache.org%3E > > > > > -- > Niclas Hedhman, Software Developer > http://polygene.apache.org - New Energy for Java
