Hi, I have some more questions before putting out a RC2.
I played around with SHA512 signing and found the following happening consistently: - the "sources-release" gets signed with SHA512. However, all files (including the .sha512 file!) are signed again with sha1. I don't know where this happens, the mvn output log only shows signing and uploading of the SHA512 signed files. - the "src" files are only ever signed with SHA1. See: https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/ https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/ <https://repository.apache.org/content/repositories/snapshots/javax/jdo/jdo-api/3.2-RC2-SNAPSHOT/> However, there are some interesting statements in the Apache doc (https://infra.apache.org/publishing-maven-artifacts.html), specifically section 3: a) "Don't try to publish |.sha256| or |.sha512| files; Nexus doesn't handle them.". a.1) Does this mean that it is alright/intended that everything is (also) signed with sha1, i.e. because Nexus will only accept sha1? a.2) Is it okay to sign only the "sources-release" with sha512? The example in https://maven.apache.org/pom/asf/ refers only to signing the "source-release" file. b) "Remove |.md5|s in |dist.apache.org/repos/dist/release/| manually." b.1) Does this it is okay to have more files than necessary uploaded because we can/should remove them afterwards? For example, we could also manually remove the signed signature files, such as jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1 <https://repository.apache.org/content/repositories/snapshots/org/apache/jdo/3.2-RC2-SNAPSHOT/jdo-3.2-RC2-20211107.210811-3-source-release.zip.sha512.sha1> Best, Til
