Hi all, With respect to the below mail thread between "sebb" and me, IMHO I don't intend to restart the VOTE mail unless there is a more genuine reason for the same.
If anyone wishes to verify the signature and hashes of archive files as published on the release candidates link, it would require downloading (or you may take an update from SVN) the KEYS file from here " https://svn.apache.org/repos/asf/xerces/java/trunk/KEYS"; which has my public key. You'd need to add these public keys to your public key ring. Of course we're also looking for any functional feedbacks, about the release candidate. This vote mail would progress as already started. Looking forward to your votes. On Thu, Apr 19, 2018 at 3:16 PM, Mukul Gandhi <muk...@apache.org> wrote: > Hello, > Thanks for the feedback. I've written my thoughts below. > > On Thu, Apr 19, 2018 at 2:48 PM, sebb <seb...@gmail.com> wrote: > >> MD5 hashes are now deprecated and should please be removed from the >> download area (and download page) >> > > If we look at the download area of Xerces, i.e http://xerces.apache.org/ > mirrors.cgi > > The previous Xerces-J release (2.11.0) has published a MD5 hash, that's > why I included it. But you're right in saying, " MD5 hashes are now > deprecated". The release signing information at, > http://www.apache.org/dev/release-signing.html#md5 says, > "Please note that the security of MD5 is now questionable and is only > useful as part of a defense in depth.". I think, this wording still gives > us permission to use MD5 hashes (via this, " and is only useful as part > of a defense in depth"). > > >> Tags are not immutable, so for definiteness please include the >> revision in VOTE mails; >> >> for example >> >> Last Changed Rev: 26416 >> >> >> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/ >> >> Directory revision:1829504 (of 1829520) >> >> > [3] >> > http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_ >> 0-xml-schema-1.1/ >> >> Directory revision:1829505 (of 1829520) >> >> > I used this mail as template for the VOTE mail, https://markmail.org/ > message/clmyb53ju4jtghb4 that Michael Glavassevich wrote for the 2.10.0 > release. This mentions only the URLs of the Tag locations. No revision > information is mentioned over there. > -- Regards, Mukul Gandhi
