[ https://issues.apache.org/jira/browse/TINKERPOP-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393008#comment-16393008 ]
Daniel Kuppitz commented on TINKERPOP-1912: ------------------------------------------- I'll give this ticket a break as I'm kinda stuck. Here's what I did thus far and where I ran into problems. First I added the {{checksum-maven-plugin}} and configured it to generate SHA-512 checksums for all artifacts. Unfortunately, these artifacts do not include the source release and I have no idea if there's a way to generate the source release zip file as part of the built so that it ends up being in the {{target/}} directory. There are only a few steps in our release process, that require the artifacts and their respective checksums: {noformat} cp ~/.m2/repository/org/apache/tinkerpop/gremlin-console/xx.yy.zz/gremlin-console-xx.yy.zz-distribution.zip* dev/xx.yy.zz cp ~/.m2/repository/org/apache/tinkerpop/gremlin-server/xx.yy.zz/gremlin-server-xx.yy.zz-distribution.zip* dev/xx.yy.zz cp ~/.m2/repository/org/apache/tinkerpop/tinkerpop/xx.yy.zz/tinkerpop-xx.yy.zz-source-release.zip* dev/xx.yy.zz {noformat} The first 2 steps can easily be solved by this PR, as we can now get the artifacts and the checksum files from the respective {{target/}} directories. However, the source release zip file still only gets generated in {{.m2}} without the required SHA-512 checksum file. *.m2 directories:* {noformat} daniel@cube ~/.m2 $ ls repository/org/apache/tinkerpop/{gremlin-console,gremlin-server,tinkerpop}/3.2.8-SNAPSHOT/*.zip* repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.asc repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.md5 repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha1 repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.asc repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.md5 repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha1 repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.asc repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.md5 repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.sha1 {noformat} *Local target directories:* {noformat} daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ ll {gremlin-console,gremlin-server}/target/*distribution.zip* -rw-r--r-- 1 daniel daniel 23979755 Mar 9 08:16 gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip -rw-r--r-- 1 daniel daniel 128 Mar 9 08:16 gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha512 -rw-r--r-- 1 daniel daniel 23700174 Mar 9 08:15 gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip -rw-r--r-- 1 daniel daniel 128 Mar 9 08:15 gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha512 daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ find . -name "*source-release.zip*" daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ {noformat} One way out of this misery could be to use SHA-1 files only. In fact, this would be pretty easy and require almost no changes at all. However, if anybody can up with an idea on how to generate the SHA-512 checksum (recommended by Apache) for the source release, I'm all ears. If not, I will just revert my changes at some point and adjust the release steps to only include the SHA-1 checksum. > Remove MD5 checksums > -------------------- > > Key: TINKERPOP-1912 > URL: https://issues.apache.org/jira/browse/TINKERPOP-1912 > Project: TinkerPop > Issue Type: Improvement > Components: build-release > Affects Versions: 3.2.7 > Reporter: Daniel Kuppitz > Assignee: Daniel Kuppitz > Priority: Minor > > Apache is asking to remove MD5 checksums from releases. > *Old policy:* > * MUST provide a MD5-file > * SHOULD provide a SHA-file [SHA-512 recommended] > *New policy:* > * MUST provide a SHA- or MD5-file > * SHOULD provide a SHA-file > * SHOULD NOT provide a MD5-file > Providing MD5 checksum files is now discouraged for new releases, but still > allowed for past releases. > *Why this change:* > * MD5 is broken for many purposes ; we should move away from it. > [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues] > *Impact for PMCs:* > * _*for new releases:*_ > ** please do provide a SHA-file (one or more, if you like) > ** do NOT provide a MD5-file -- This message was sent by Atlassian JIRA (v7.6.3#76005)