On 2018/03/05 17:57:41, Steve Varnau <steve.var...@esgyn.com> wrote: > Ming, > > Our release is compliant, since we have both SHA and MD5 checksums, but the > new policy is asking for new releases to remove MD5. > > So can you remove the md5 files from the release that is imminent? > > I will update the wiki release instructions to remove the md5 directions. > > --Steve > > -----Original Message----- > From: Henk P. Penning [mailto:penn...@uu.nl] > Sent: Monday, March 5, 2018 3:19 AM > To: he...@apache.org > Subject: checksum file Release Distribution Policy > > Hi Pmcs, > > The Release Distribution Policy[1] changed regarding checksum files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > MD5-file == a .md5 file > SHA-file == a .sha1, sha256 or .sha512 file > > Old policy : > > -- MUST provide a MD5-file > -- SHOULD provide a SHA-file [SHA-512 recommended] > > New policy : > > -- MUST provide a SHA- or MD5-file > -- SHOULD provide a SHA-file > -- SHOULD NOT provide a MD5-file > > Providing MD5 checksum files is now discouraged for new releases, > but still allowed for past releases. > > Why this change : > > -- MD5 is broken for many purposes ; we should move away from it. > https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues > > Impact for PMCs : > > -- for new releases : > -- please do provide a SHA-file (one or more, if you like) > -- do NOT provide a MD5-file > > -- for past releases : > -- you are not required to change anything > -- for artifacts accompanied by a SHA-file /and/ a MD5-file, > it would be nice if you removed the MD5-file > > -- if, at the moment, you provide MD5-files, > please adjust your release tooling. > > Please mail me (he...@apache.org) if you have any questions etc. > > FYI : > > Many projects are not (entirely, strictly) checksum file compliant. > For an overview/inventory (by project) see : > > https://checker.apache.org/dist/unsummed.html > > At the moment : > > -- no checksum : 176 packages in 28 projects ; non-compliant > -- only MD5 : 495 packages in 44 projects ; update tooling > -- only SHA : 135 packages in 13 projects ; now comliant > > In many cases, only a few (among many) checksum file are missing ; > you may want to fix that. > > [1] http://www.apache.org/dev/release-distribution > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > Thanks, groeten, > > Henk Penning -- apache.org infrastructure ; dist & mirrors. > > ------------------------------------------------------------ _ > Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_ > Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \ > Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/ > http://www.staff.science.uu.nl/~penni101/ M penn...@uu.nl \_/ >
Thanks Steve, Yes, I will remove those MD5 signatures. And thanks for taking care of this! Ming