[ https://issues.apache.org/jira/browse/TINKERPOP-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393367#comment-16393367 ]
Robert Dale commented on TINKERPOP-1912: ---------------------------------------- I think the first priority is to be compliant. So just removing the MD5 sum is sufficient and addresses the title of this ticket. I would open another ticket for generating SHA-512. There seem to be several tickets open at maven and maven repositories to start supporting better than SHA-1 so that problem may eventually resolve itself. Along the same lines, the [download page|http://tinkerpop.apache.org/downloads.html] should offer direct links to the checksum files for convenience or at least a direct link to the primary dir that contains the checksums. Doesn't have to be fancy. Maybe something as simple as appending another link to '[release notes|https://github.com/apache/tinkerpop/blob/3.3.1/CHANGELOG.asciidoc#release-3-3-1] | [upgrade|http://tinkerpop.apache.org/docs/3.3.1/upgrade/#_tinkerpop_3_3_1] | [documentation|http://tinkerpop.apache.org/docs/3.3.1/] | [javadoc|http://tinkerpop.apache.org/javadocs/3.3.1/full/] | {color:#d04437}+checksums+{color}'. Otherwise, what's the point of providing them when it's so obscure how to get to them? > Remove MD5 checksums > -------------------- > > Key: TINKERPOP-1912 > URL: https://issues.apache.org/jira/browse/TINKERPOP-1912 > Project: TinkerPop > Issue Type: Improvement > Components: build-release > Affects Versions: 3.2.7 > Reporter: Daniel Kuppitz > Assignee: Daniel Kuppitz > Priority: Minor > > Apache is asking to remove MD5 checksums from releases. > *Old policy:* > * MUST provide a MD5-file > * SHOULD provide a SHA-file [SHA-512 recommended] > *New policy:* > * MUST provide a SHA- or MD5-file > * SHOULD provide a SHA-file > * SHOULD NOT provide a MD5-file > Providing MD5 checksum files is now discouraged for new releases, but still > allowed for past releases. > *Why this change:* > * MD5 is broken for many purposes ; we should move away from it. > [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues] > *Impact for PMCs:* > * _*for new releases:*_ > ** please do provide a SHA-file (one or more, if you like) > ** do NOT provide a MD5-file -- This message was sent by Atlassian JIRA (v7.6.3#76005)