[jira] [Created] (AVRO-2071) Change of signatures in release

Tue, 29 Aug 2017 09:17:37 -0700 

Suraj Acharya created AVRO-2071:
-----------------------------------

             Summary: Change of signatures in release
                 Key: AVRO-2071
                 URL: https://issues.apache.org/jira/browse/AVRO-2071
             Project: Avro
          Issue Type: Improvement
          Components: build
    Affects Versions: 1.7.8, 1.9.0, 1.8.3
            Reporter: Suraj Acharya
            Assignee: Suraj Acharya


{quote}
Hi PMC,

   The Release Distribution Policy[1] changed regarding .sha files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

  Old policy :

    -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)

  New policy :

     -- use .sha1 for a SHA-1 checksum
     -- use .sha256 for a SHA-256 checksum
     -- use .sha512 for a SHA-512 checksum
     -- [*] .sha should contain a SHA-1

  Why this change ?

     -- Verifying a checksum under the old policy is/was not handy.
        You have to inspect the .sha to find out which algorithm
        should be used ; or try them all (SHA-1, SHA256, etc).
        The new scheme avoids this ambiguity.
     -- The last point[*] was only added for clarity. Most of the
        old, stale .sha's contain a SHA-1. The relatively new .sha's
        contain a SHA-512. The expectation is that the last catagory will
        disappear, when active projects adapt to the 'new' convention.

  Impact :

     -- Should be none ; many projects already use the 'new' convention.
     -- Please ask your release managers to use .sha1, .sha256, .sha512
        instead of the .sha extension.
     -- Please fix your build-tools if you have any.

  Piggyback :

     -- The policy requires a .md5 for every package ;
        providing a .sha512 is recommended.
        Since MD5 is essentially broken, it is to be expected that
        in the future a .sha512 will be required.
        Perhaps it is wize to start providing .sha512's
        with your releases if you do not already do so.

     -- Visit http://mirror-vm.apache.org/checker/
        to check the health of your /dist/-area ;
        my stuff ; any feedback is most welcome.

  Thanks ; regards,

  Henk Penning

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

------------------------------------------------------------
Henk P. Penning ; apache.org infrastructure volunteer.
he...@apache.org ; http://mirror-vm.apache.org/~henkp/
{quote}

We will need to update the build.sh to conform to these activities.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to