Julian Foad wrote on Mon, 13 Aug 2018 12:59 +0100: > We "SHOULD NOT" any longer publish SHA1 checksums for new releases, according > to > https://www.apache.org/dev/release-distribution#sigs-and-sums > > So I have done this: > > * remove references to SHA1 from the documentation > > -- http://svn.apache.org/r1837935 >
+1 > * stop producing *.sha1 files and stop listing SHA1 on the 'downloads' page > > -- http://svn.apache.org/r1837939 > I was under the impression that we should keep producing *.sha1 files for 1.9 and 1.10 releases, for compatibility reasons. The "SHOULD NOT" language in the policy was specifically intended to allow this sort of compatibility. To be clear, I'm suggesting that we only drop sha1 checksums for 1.11.0-alpha1 and newer. WDYT? > * remove SHA1 listings from the 'downloads' web page for current releases > > -- http://svn.apache.org/r1837938 > +1 > Thanks to Paul Hammant for mentioning this policy to me. Thank you for doing the legwork. Cheers, Daniel
