[jira] [Commented] (TINKERPOP-1912) Remove MD5 checksums

Robert Dale (JIRA) Fri, 09 Mar 2018 10:57:22 -0800

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393367#comment-16393367
 ]


Robert Dale commented on TINKERPOP-1912:
----------------------------------------

I think the first priority is to be compliant. So just removing the MD5 sum is 
sufficient and addresses the title of this ticket.  I would open another ticket 
for generating SHA-512. There seem to be several tickets open at maven and 
maven repositories to start supporting better than SHA-1 so that problem may 
eventually resolve itself.

Along the same lines, the [download 
page|http://tinkerpop.apache.org/downloads.html] should offer direct links to 
the checksum files for convenience or at least a direct link to the primary dir 
that contains the checksums.  Doesn't have to be fancy. Maybe something as 
simple as appending another link to '[release 
notes|https://github.com/apache/tinkerpop/blob/3.3.1/CHANGELOG.asciidoc#release-3-3-1]
 | [upgrade|http://tinkerpop.apache.org/docs/3.3.1/upgrade/#_tinkerpop_3_3_1] | 
[documentation|http://tinkerpop.apache.org/docs/3.3.1/] | 
[javadoc|http://tinkerpop.apache.org/javadocs/3.3.1/full/] | 
{color:#d04437}+checksums+{color}'. Otherwise, what's the point of providing 
them when it's so obscure how to get to them?

> Remove MD5 checksums
> --------------------
>
>                 Key: TINKERPOP-1912
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1912
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: build-release
>    Affects Versions: 3.2.7
>            Reporter: Daniel Kuppitz
>            Assignee: Daniel Kuppitz
>            Priority: Minor
>
> Apache is asking to remove MD5 checksums from releases.
> *Old policy:*
>  * MUST provide a MD5-file
>  * SHOULD provide a SHA-file [SHA-512 recommended]
> *New policy:*
>  * MUST provide a SHA- or MD5-file
>  * SHOULD provide a SHA-file
>  * SHOULD NOT provide a MD5-file
> Providing MD5 checksum files is now discouraged for new releases, but still 
> allowed for past releases.
> *Why this change:*
>  * MD5 is broken for many purposes ; we should move away from it.
> [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]
> *Impact for PMCs:*
>  * _*for new releases:*_
>  ** please do provide a SHA-file (one or more, if you like)
>  ** do NOT provide a MD5-file



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TINKERPOP-1912) Remove MD5 checksums

Reply via email to