Hi, the INFRA ticket just got updated.
Could someone have a look whether I am describing the process/issue correctly? https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461830#comment-17461830 Thanks, Til -------- Forwarded Message -------- Subject: [jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5 Date: Sat, 18 Dec 2021 10:26:00 +0000 (UTC) From: Herve Boutemy (Jira) <j...@apache.org> To: tilma...@apache.org [ https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461830#comment-17461830 ] Herve Boutemy edited comment on INFRA-22540 at 12/18/21, 10:25 AM: ------------------------------------------------------------------- we had such discussion at Maven level: there is in general a confusion between 1. Apache rules on source release to dist, which mandate sha256/sha512 2. Central rules on every artifacts (jar, pom, anything not related to Apache source release), which still asks for sha1/md5 for checksums and PGP signature for more serious checks in Apache parent POM release 24 MPOM-244, we added a configuration to generate sha512 for source-release artifacts when publishing to Nexus/Central to help projects: see documentation https://maven.apache.org/pom/asf/#The_apache-release_Profile but not every project uses Apache parent POM, or did not upgrade to 24, or do not even use Maven to build, so I don't know what's the best solution for [~tilmannz] at least, please consider the difference in policy of Apache source release archive vs any other artifact published to Central if you change something was (Author: hboutemy): we had such discussion at Maven level: there is in general a confusion between 1. Apache rules on source release to dist, which mandate sha256/sha512 2. Central rules on every artifacts (jar, pom, anything not related to Apache source release), which still asks for sha1/md5 for checksums and PGP signature for more serious checks in Apache parent POM release 24 MPOM-244, we added a configuration to generate sha512 for source-release artifacts when publishing to Nexus/Central to help projects: see documentation https://maven.apache.org/pom/asf/#The_apache-release_Profile but not every project uses Apache parent POM, or did not upgrade to 24, or do not even use Maven to build, so I don't know what's the best solution for [~tilmannz] at least, please consider the difference in policy of Apache release source release vs any artifact published to Central if you change something
Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5 -------------------------------------------------------------------------- Key: INFRA-22540 URL: https://issues.apache.org/jira/browse/INFRA-22540 Project: Infrastructure Issue Type: Improvement Components: Nexus Reporter: Tilmann Zäschke Priority: Major The Release Distribution Policy (https://infra.apache.org/release-distribution) states: "PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or SHA-1.". However, currently, the Apache Rules in Nexus appear to enforce that all files (including .zip and .tar.gz) to have .sha1 and .md5 pendants. For our project "closing" a release candidate fails with: Event: Failed: Checksum Validation typeId checksum-staging failureMessage Required SHA-1: '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1' failureMessage Required MD5: '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5' failureMessage Required SHA-1: '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1' failureMessage Required MD5: '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5' Can the Apache Rules in Nexus be adapted to allow or even enforce that files (other than .jar/.pom) to be signed with sha256/sha512 instead of sha1/md5?
-- This message was sent by Atlassian Jira (v8.20.1#820001)
