[jira] [Commented] (TINKERPOP-1912) Remove MD5 checksums

[Daniel Kuppitz (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393008#comment-16393008
 ] 

Daniel Kuppitz commented on TINKERPOP-1912:
-------------------------------------------

I'll give this ticket a break as I'm kinda stuck. Here's what I did thus far 
and where I ran into problems.
 First I added the {{checksum-maven-plugin}} and configured it to generate 
SHA-512 checksums for all artifacts. Unfortunately, these artifacts do not 
include the source release and I have no idea if there's a way to generate the 
source release zip file as part of the built so that it ends up being in the 
{{target/}} directory.

There are only a few steps in our release process, that require the artifacts 
and their respective checksums:
{noformat}
cp 
~/.m2/repository/org/apache/tinkerpop/gremlin-console/xx.yy.zz/gremlin-console-xx.yy.zz-distribution.zip*
 dev/xx.yy.zz
cp 
~/.m2/repository/org/apache/tinkerpop/gremlin-server/xx.yy.zz/gremlin-server-xx.yy.zz-distribution.zip*
 dev/xx.yy.zz
cp 
~/.m2/repository/org/apache/tinkerpop/tinkerpop/xx.yy.zz/tinkerpop-xx.yy.zz-source-release.zip*
 dev/xx.yy.zz
{noformat}

The first 2 steps can easily be solved by this PR, as we can now get the 
artifacts and the checksum files from the respective {{target/}} directories. 
However, the source release zip file still only gets generated in {{.m2}} 
without the required SHA-512 checksum file.

*.m2 directories:*
{noformat}
daniel@cube ~/.m2 $ ls 
repository/org/apache/tinkerpop/{gremlin-console,gremlin-server,tinkerpop}/3.2.8-SNAPSHOT/*.zip*
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.asc
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.md5
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha1
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.asc
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.md5
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha1
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.asc
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.md5
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.sha1
{noformat}

*Local target directories:*
{noformat}
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ ll 
{gremlin-console,gremlin-server}/target/*distribution.zip*
-rw-r--r-- 1 daniel daniel 23979755 Mar  9 08:16 
gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip
-rw-r--r-- 1 daniel daniel      128 Mar  9 08:16 
gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha512
-rw-r--r-- 1 daniel daniel 23700174 Mar  9 08:15 
gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip
-rw-r--r-- 1 daniel daniel      128 Mar  9 08:15 
gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha512
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ find . -name 
"*source-release.zip*"
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $
{noformat}

One way out of this misery could be to use SHA-1 files only. In fact, this 
would be pretty easy and require almost no changes at all. However, if anybody 
can up with an idea on how to generate the SHA-512 checksum (recommended by 
Apache) for the source release, I'm all ears. If not, I will just revert my 
changes at some point and adjust the release steps to only include the SHA-1 
checksum.

> Remove MD5 checksums
> --------------------
>
>                 Key: TINKERPOP-1912
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1912
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: build-release
>    Affects Versions: 3.2.7
>            Reporter: Daniel Kuppitz
>            Assignee: Daniel Kuppitz
>            Priority: Minor
>
> Apache is asking to remove MD5 checksums from releases.
> *Old policy:*
>  * MUST provide a MD5-file
>  * SHOULD provide a SHA-file [SHA-512 recommended]
> *New policy:*
>  * MUST provide a SHA- or MD5-file
>  * SHOULD provide a SHA-file
>  * SHOULD NOT provide a MD5-file
> Providing MD5 checksum files is now discouraged for new releases, but still 
> allowed for past releases.
> *Why this change:*
>  * MD5 is broken for many purposes ; we should move away from it.
> [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]
> *Impact for PMCs:*
>  * _*for new releases:*_
>  ** please do provide a SHA-file (one or more, if you like)
>  ** do NOT provide a MD5-file



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)