Yep. I'm not sure exactly how much longer than this it has been the
recommendation, but after noticing we started swapping each component
at Qpid over to using SHA512 checksums in March as they each get
released. Most have changed over now, though still a couple final less
frequently released bits left to go.
If people are concerned at dropping the SHA1 outright we could always
have both, perhaps for a time as a form of switchover period. I don't
personally think thats really necessary.
Robbie
On 15 September 2017 at 21:18, Timothy Bish wrote:
> On 09/15/2017 03:59 PM, Clebert Suconic wrote:
>>
>> Just for my education. Why you Decided to drop downloading the .sha1 and
>> are creating a new one?
>>
>> All the other downloads we have are using the .sha1?
>
>
> As Robbie stated in the original message the Apache recommendation for
> signatures on the official release artifacts is a sha512 based signature,
> not the older sha1 that is used in the unofficial maven release artifacts.
>
> Refer here:
> http://www.apache.org/dev/release-distribution.html#sigs-and-sums
>
>
>>
>> On Fri, Sep 15, 2017 at 11:56 AM Robbie Gemmell
>> wrote:
>>
>>> I tweaked the helper script to verify the downloaded tar/zip files
>>> using their downloaded signature, then update the downloaded .md5 file
>>> with filename info so it can verify easily with CLI tools, dropped
>>> downloading the .sha1 and generated a new .sha512, and then at the end
>>> verifies all the checksums as a sanity check (somewhat superfluous for
>>> the SHA512, but doesn't hurt).
>>>
>>>
>>>
>>> https://github.com/apache/activemq-artemis/commit/b7b2960e1f1870246f0c113f56d22cfc0f7a4269
>>>
>>> If folks are happy with this I can update the instructions at
>>> https://github.com/apache/activemq-artemis/blob/master/RELEASING.md to
>>> reflect the slight process changes needed.
>>>
>>> Robbie
>>>
>>> On 14 September 2017 at 15:32, Clebert Suconic
>>> wrote:
I thought about checking the sum. Didn't have time.
I would check the files created by nexus Instead of creating new ones
thought.
Feel free to tweak the script. I will be out for a week. I will just
finish the release and I will be away for a week.
On Thu, Sep 14, 2017 at 5:48 AM Robbie Gemmell Script looks good, though I'd tweak it a little to cover the eased
> checksum verification and supplying a SHA512 one (more below).
>
> I agree that similar changes would be good for the ActiveMQ 5 releases
> also, thats the main reason I didn't just detail things on the Artemis
> 2.3.0 vote thread.
>
> Back to the script, I'd suggest tweaking it to add a check that the
> signature verifies to ensure the downloaded files are ok, then rather
> than download the .sha1 I'd have it generate a .sha512 file instead,
> and would similarly update/regenerate the .md5 file to embed filename
> info so it verifies easily with the CLI tooling. E.g:
>
> gpg --verify $theFile.asc
> md5sum $theFile > $theFile.md5
> sha512sum $theFile > $theFile.sha512
>
> Then testers and end users downloading the checksum files can just
> verify them with the -c flags on the CLI tools, e.g you can check all
> the checksums with just:
> md5sum -c *.md5
> sha512sum -c *.sha512
>
> On 13 September 2017 at 23:36, Clebert Suconic
> wrote:
>>
>> Ok, fair enough... I can see this as a process improvement.
>>
>> I wasn't just understanding what you were proposing clearly enough.
>>
>> I just added this script here:
>>
>>>
>>> https://github.com/apache/activemq-artemis/blob/master/scripts/download-release.sh
>>
>>
>> I didn't update the RELEASE.md yet...
>>
>>
>> I would add that during the release, you use the download-release from
>> the staged mvn repo using that script into the dev area.
>> The vote would have the staged download on dev, and we just make a
>> simple copy from one place to the other.. and remove the previous
>> thing.
>>
>>
>> But I think this should be also done on ActiveMQ 5 releases.
>>
>>
>>
>> The thing that threw me of was when you mentioned extra work.. there's
>> no extra work here :)
>> It's actually saving me from screwing up eventually, so I take it as
>> an improvement.
>>
>>
>> On Wed, Sep 13, 2017 at 1:19 PM, Robbie Gemmell
>> wrote:
>>>
>>> Yes, thats essentially what I mean and do, I have a txt file I keep
>>> some comments in as notes, and can source as a script to download the
>>> various tars and signatures from nexus (though it could equally pull
>>> them from the maven local repo, verifying the Nexus ones is good I