On 9/17/2018 3:01 PM, Yasser Zamani wrote: > Oh by the way, wait; I remember this from ASF: > > New policy : > > -- SHOULD supply a SHA-256 and/or SHA-512 checksum file > -- SHOULD NOT supply MD5 or SHA-1 checksum files > > Which I think it means we must push some changes (e.g. maven options I guess) > for release management into 2.3.x, 2.5.x and master branches before starting > the release process. Right?
Even with a lot of tries I couldn't make it work with 2.3.36 to deploy only SHA-256 and/or SHA-512 and not deploy MD5 or SHA-1 :( Currently with -DattachChecksums=true it generates SHA-256 and SHA-512 but only for root artifacts i.e. struts2-core-2.3.36.sha512 rather than struts2-core-2.3.36.jar.sha512 [1] so according to [2] it seems I have to upgrade 2.3.x also to use struts-master 12 but there are several worries: 1) 2.5.18 also doesn't have SHA-256 and/or SHA-512 and does have md5 and SHA-1 [3] (while it uses struts-master 12 (apache 21)). 2) Upgrading 2.3.x to use struts-master 12 may break the possibility of building it with jdk6 (I should check) so maybe I will have to just copy changes from [2] to 2.3.x. 3) With -DcreateChecksum=false install plugin stops generating md5 and SHA-1 files but I still see them in nexus and don't know who has generated them (they aren't in local .m2, nor target and nor maven release log). Regards. [1] https://repository.apache.org/service/local/repositories/orgapachestruts-1086/content/org/apache/struts/struts2-core/2.3.36/struts2-core-2.3.36.sha512 [2] https://gitbox.apache.org/repos/asf?p=maven-apache-parent.git;a=blobdiff;f=pom.xml;hb=apache-21;hpb=apache-20 [3] https://repository.apache.org/service/local/repositories/orgapachestruts-1081/content/org/apache/struts/struts2-assembly/2.5.18/struts2-assembly-2.5.18-all.zip.md5
