[
https://issues.apache.org/jira/browse/LOG4J2-2958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17301001#comment-17301001
]
Ralph Goers commented on LOG4J2-2958:
-------------------------------------
Here is a followup. The documented [release distribution
policy|https://infra.apache.org/release-distribution.html] corrects the mistake
of the email noted previously. It says
|For every artifact distributed to the public through Apache channels, the PMC
* *must* supply a valid OpenPGP-compatible ASCII-armored detached signature
file.
* *must* supply at least one checksum file.
* *should* supply a SHA-256 and/or SHA-512 checksum file.
* *SHOULD NOT* supply a MD5 or SHA-1 checksum file because these are
deprecated.
For new releases, PMCs *must* supply SHA-256 and/or SHA-512 and *should not*
supply MD5 or SHA-1. Existing releases do not need to be changed.|
So, in compliance with this policy we won't be updating the md5.
> MD5 hash is deprecated
> ----------------------
>
> Key: LOG4J2-2958
> URL: https://issues.apache.org/jira/browse/LOG4J2-2958
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Sebb
> Priority: Major
>
> The download page
> [https://logging.apache.org/log4j/2.x/download.html]
> uses md5 hashes for release 2.3
> However there are sha256 and sha512 hashes; one of these should be used
> instead, and the md5 hashes dropped from the download host. The sha1 hashes
> likewise are deprecated and should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
