Hi Cos, Thanks for providing a thoughtfully documented review.
On Fri, Jul 17, 2015 at 2:24 PM, Konstantin Boudnik <c...@apache.org> wrote: > +1 (binding) > Please consider fixing in the next release: > - sha checksum is formatted in a way that makes automatic validation (with > sha512sum -c ) impossible. Also, it'd be better to make sha512 suffix for > the checksum file. sha is too ambiguous. > - md5sum file is pretty much useless considering its weak security > properties. Perhaps makes sense to get rid of it? As of a few months ago, requirements regarding cryptographic sums and signatures have been codified in a section of the Release Distribution Policy, curated by VP Infrastructure. http://www.apache.org/dev/release-distribution#sigs-and-sums If you wanted to make a proposal regarding removal of MD5 checksums, infrastructure-dev@apache is the place to go. The format required by sha512sum is a bit of a pain to produce on systems where sha512sum itself is not available. For a Mac, or any other system where Perl is present, something like this will work: perl -MDigest -e '$d = Digest->new("MD5"); open $fh, \ "<", "apache-foo-1.2.3.tar.gz" or die; $d->addfile($fh); \ print $d->hexdigest; print " apache-foo-1.2.3.tar.gz\n"' \ > apache-foo-1.2.3.tar.gz.md5 I'm sure there are other hack invocations possible with other tools. Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
