Hi Mick
I already closed the vote mail, because try apache 21 pom makes me have to delete existed tag, which may cause unknown issues about checked. But after I upgraded the pom to 21[1], and did a release again[2]. Still no sha512 found in staging repo, such as our distribution package[3]. I think they haven't provided a way to do this. And I read the pom release announcement[4] again, they said > It includes generating sha512 checksums for the source-release (not the artifacts going to maven central where sha1 and md5 are pretty built-in). I am not 100% sure about the meanings, but look like maven central requires sha1 and m5. So, any one have more opinions about this? Do I need to start a new vote?(Keep no sha512 in nexus repo) [1] https://repository.apache.org/content/repositories/orgapacheskywalking-1018/org/apache/skywalking/apm/5.0.0-RC/apm-5.0.0-RC.pom [2] https://repository.apache.org/content/repositories/orgapacheskywalking-1018 [3] https://repository.apache.org/content/repositories/orgapacheskywalking-1018/org/apache/skywalking/apache-skywalking-apm-incubating/5.0.0-RC/ [4] https://lists.apache.org/thread.html/ab0838d16033a54e039cf3dbe3344c7e63b340f0dbc14ad14211ff1d@%3Cannounce.maven.apache.org%3E ------------------ Sheng Wu Apache SkyWalking ------------------ Original ------------------ From: "mck"<[email protected]>; Date: Fri, Aug 31, 2018 09:35 AM To: "dev"<[email protected]>; Subject: Re: [VOTE] Release Apache SkyWalking (incubating) version 5.0.0-RC > Voting will start now (2018/8/29 date) and will remain open for at least > 72 hours, Request all PPMC members to give their vote. > [ ] +1 Release this package. > [ ] +0 No opinion. > [ ] -1 Do not release this package because.... -1 The digests on the maven artefacts don't meet the new ASF release requirements. The distribution artefacts are good, only asc signatures and sha512 digests, as seen in https://dist.apache.org/repos/dist/dev/incubator/skywalking/5.0.0-RC/ But the artefacts in the maven staging repository don't have sha512 digests, and have the now forbidden md5 and sha1 digests. As seen in https://repository.apache.org/content/repositories/orgapacheskywalking-1017/org/apache/skywalking/agent-grpc-provider/5.0.0-RC/ The relevant ASF documentation is in https://www.apache.org/dev/release-distribution#sigs-and-sums specifically?? > For every artifact distributed to the public through Apache channels, the PMC > > - MUST supply a valid OpenPGP-compatible ASCII-armored detached signature > file > - MUST supply at least one checksum file > - SHOULD supply a SHA-256 and/or SHA-512 checksum file > - SHOULD NOT supply a MD5 or SHA-1 checksum file (because these are > deprecated) > > For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT > supply MD5 or SHA-1. Existing releases do not need to be changed. Upgrading to apache pom 21 should fix this. https://lists.apache.org/thread.html/ab0838d16033a54e039cf3dbe3344c7e63b340f0dbc14ad14211ff1d@%3Cannounce.maven.apache.org%3E regards, Mick
