Re: SHA-512 for Maven deployment

2021-01-15 Thread Petr Ivanov 
I will take it over.


> On 15 Jan 2021, at 12:37, Andrey Mashenkov  wrote:
> 
> I've created a ticket for the issue [1].
> Someone who fully understands the release process may pick it up.
> 
> [1] https://issues.apache.org/jira/browse/IGNITE-13999
> 
> On Fri, Jan 15, 2021 at 12:01 AM Andrey Mashenkov <
> andrey.mashen...@gmail.com> wrote:
> 
>> Val, I didn't found the way to make a local deploy. So I just make
>> 'install'.
>> 
>> Yes you are right, only source jar is signed.
>> Seems, we need to configure checksum plugin for signing binary jars as it
>> is done in Maven-parent or any other project.
>> 
>> чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko <
>> valentin.kuliche...@gmail.com>:
>> 
>>> Andrey,
>>> 
>>> Did you try on the 2.x or 3.x?
>>> 
>>> I've just tried to do the same in ignite-3, but it didn't work for me.
>>> I've
>>> updated the parent pom version to 23 and ran "mvn clean deploy
>>> -Papache-release". The source package is now signed with SHA512, which is
>>> good, but there was no effect on the JAR artifacts. As a matter of fact, I
>>> don't see any checksum files for them. My guess is that by default they
>>> are
>>> generated by the deploy plugin, during the upload to Maven. Here is the
>>> resulting staging (still MD5 and SHA1):
>>> https://repository.apache.org/content/repositories/orgapacheignite-1505/
>>> 
>>> Does it behave in the same way for you?
>>> 
>>> -Val
>>> 
>>> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <
>>> andrey.mashen...@gmail.com>
>>> wrote:
>>> 
 I've made "mvn clean install" with enabled "apache-release" profile and
>>> see
 *.sha-512 checksum files in target directories.
 So, upgrading to the latest apache parent looks sufficient.
 
 
 On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov 
>>> wrote:
 
> Is seems that parent is already updated in
> https://issues.apache.org/jira/browse/IGNITE-13987 <
> https://issues.apache.org/jira/browse/IGNITE-13987>
> 
> 
> 
>> On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> valentin.kuliche...@gmail.com> wrote:
>> 
>> Andrey,
>> 
>> This sounds even better. Can you create a ticket for this change?
>> 
>> -Val
>> 
>> On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> andrey.mashen...@gmail.com>
>> wrote:
>> 
>>> Val,
>>> 
>>> I've just found Maven projects use SHA-512.
>>> I passed through commits and found they just switched to newer
>>> parent
>>> org.apache:apache pom.
>>> I've compared our current parent pom with the latest available one
>>> (org.apache:apache:16 vs org.apache:apache:23)
>>> and then found checksum-maven-plugin was added [1] somewhen in
 between.
>>> 
>>> So, seems we have to switched to newer apache pom and maybe add
>>> checksum-maven-plugin
>>> to our main pom.
>>> 
>>> [1]
>>> 
>>> 
> 
 
>>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>>> 
>>> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
>>> valentin.kuliche...@gmail.com> wrote:
>>> 
 Hi Andrey,
 
 This indeed sounds like the cleanest way. I don't know how much
 effort
>>> that
 would be though.
 
 -Val
 
 On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
 andrey.mashen...@gmail.com> wrote:
 
> Maybe, we could donate to maven plugin possibility to switch to
>>> SHA-512.
> Hopefully, a new plugin version will be released before we have
>>> any
 release
> candidate.
> 
> Is it looks like a big deal?
> 
> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> valentin.kuliche...@gmail.com>:
> 
>> Hi Ivan,
>> 
>> No, I haven't found a way yet. SHA1 still works, but I believe
>>> we
 should
>> consider using better options in future releases.
>> 
>> Do you have any ideas on how to implement this?
>> 
>> -Val
>> 
>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
 vololo...@gmail.com>
>> wrote:
>> 
>>> Folks,
>>> 
>>> Were you able to resolve this?
>>> 
>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
>>> valentin.kuliche...@gmail.com>:
 Hi Ivan,
 
 Thanks for your response. I've looked into the PGP plugin, and
 unfortunately it looks like it only can create signatures, but
>>> not
 checksums.
 
 -Val
 
 On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> bessonov...@gmail.com>
 wrote:
 
> Hi,
> 
> I've never done this before, but it seems like we need
>> maven-gpg-plugin
> for

Re: SHA-512 for Maven deployment

2021-01-14 Thread Andrey Mashenkov 
Val, I didn't found the way to make a local deploy. So I just make
'install'.

Yes you are right, only source jar is signed.
Seems, we need to configure checksum plugin for signing binary jars as it
is done in Maven-parent or any other project.

чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko <
valentin.kuliche...@gmail.com>:

> Andrey,
>
> Did you try on the 2.x or 3.x?
>
> I've just tried to do the same in ignite-3, but it didn't work for me. I've
> updated the parent pom version to 23 and ran "mvn clean deploy
> -Papache-release". The source package is now signed with SHA512, which is
> good, but there was no effect on the JAR artifacts. As a matter of fact, I
> don't see any checksum files for them. My guess is that by default they are
> generated by the deploy plugin, during the upload to Maven. Here is the
> resulting staging (still MD5 and SHA1):
> https://repository.apache.org/content/repositories/orgapacheignite-1505/
>
> Does it behave in the same way for you?
>
> -Val
>
> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov <
> andrey.mashen...@gmail.com>
> wrote:
>
> > I've made "mvn clean install" with enabled "apache-release" profile and
> see
> > *.sha-512 checksum files in target directories.
> > So, upgrading to the latest apache parent looks sufficient.
> >
> >
> > On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov 
> wrote:
> >
> > > Is seems that parent is already updated in
> > > https://issues.apache.org/jira/browse/IGNITE-13987 <
> > > https://issues.apache.org/jira/browse/IGNITE-13987>
> > >
> > >
> > >
> > > > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> > > valentin.kuliche...@gmail.com> wrote:
> > > >
> > > > Andrey,
> > > >
> > > > This sounds even better. Can you create a ticket for this change?
> > > >
> > > > -Val
> > > >
> > > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> > > andrey.mashen...@gmail.com>
> > > > wrote:
> > > >
> > > >> Val,
> > > >>
> > > >> I've just found Maven projects use SHA-512.
> > > >> I passed through commits and found they just switched to newer
> parent
> > > >> org.apache:apache pom.
> > > >> I've compared our current parent pom with the latest available one
> > > >> (org.apache:apache:16 vs org.apache:apache:23)
> > > >> and then found checksum-maven-plugin was added [1] somewhen in
> > between.
> > > >>
> > > >> So, seems we have to switched to newer apache pom and maybe add
> > > >> checksum-maven-plugin
> > > >> to our main pom.
> > > >>
> > > >> [1]
> > > >>
> > > >>
> > >
> >
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> > > >>
> > > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> > > >> valentin.kuliche...@gmail.com> wrote:
> > > >>
> > > >>> Hi Andrey,
> > > >>>
> > > >>> This indeed sounds like the cleanest way. I don't know how much
> > effort
> > > >> that
> > > >>> would be though.
> > > >>>
> > > >>> -Val
> > > >>>
> > > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > > >>> andrey.mashen...@gmail.com> wrote:
> > > >>>
> > >  Maybe, we could donate to maven plugin possibility to switch to
> > > >> SHA-512.
> > >  Hopefully, a new plugin version will be released before we have
> any
> > > >>> release
> > >  candidate.
> > > 
> > >  Is it looks like a big deal?
> > > 
> > >  ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > >  valentin.kuliche...@gmail.com>:
> > > 
> > > > Hi Ivan,
> > > >
> > > > No, I haven't found a way yet. SHA1 still works, but I believe we
> > > >>> should
> > > > consider using better options in future releases.
> > > >
> > > > Do you have any ideas on how to implement this?
> > > >
> > > > -Val
> > > >
> > > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
> > vololo...@gmail.com>
> > > > wrote:
> > > >
> > > >> Folks,
> > > >>
> > > >> Were you able to resolve this?
> > > >>
> > > >> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > >> valentin.kuliche...@gmail.com>:
> > > >>> Hi Ivan,
> > > >>>
> > > >>> Thanks for your response. I've looked into the PGP plugin, and
> > > >>> unfortunately it looks like it only can create signatures, but
> > > >> not
> > > >>> checksums.
> > > >>>
> > > >>> -Val
> > > >>>
> > > >>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > >  bessonov...@gmail.com>
> > > >>> wrote:
> > > >>>
> > >  Hi,
> > > 
> > >  I've never done this before, but it seems like we need
> > > > maven-gpg-plugin
> > >  for
> > >  it [1].
> > > 
> > >  Algorithm configuration would look like this:
> > >  
> > > --digest-algo=SHA512
> > >  
> > > 
> > >  Maybe this will help.
> > > 
> > >  [1]
> > > 
> > > 
> > > >>
> > > >
> > > 
> > > >>>
> > > >>
> > >
> >
>

Re: SHA-512 for Maven deployment

2021-01-14 Thread Valentin Kulichenko 
Andrey,

Did you try on the 2.x or 3.x?

I've just tried to do the same in ignite-3, but it didn't work for me. I've
updated the parent pom version to 23 and ran "mvn clean deploy
-Papache-release". The source package is now signed with SHA512, which is
good, but there was no effect on the JAR artifacts. As a matter of fact, I
don't see any checksum files for them. My guess is that by default they are
generated by the deploy plugin, during the upload to Maven. Here is the
resulting staging (still MD5 and SHA1):
https://repository.apache.org/content/repositories/orgapacheignite-1505/

Does it behave in the same way for you?

-Val

On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov 
wrote:

> I've made "mvn clean install" with enabled "apache-release" profile and see
> *.sha-512 checksum files in target directories.
> So, upgrading to the latest apache parent looks sufficient.
>
>
> On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov  wrote:
>
> > Is seems that parent is already updated in
> > https://issues.apache.org/jira/browse/IGNITE-13987 <
> > https://issues.apache.org/jira/browse/IGNITE-13987>
> >
> >
> >
> > > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> > valentin.kuliche...@gmail.com> wrote:
> > >
> > > Andrey,
> > >
> > > This sounds even better. Can you create a ticket for this change?
> > >
> > > -Val
> > >
> > > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> > andrey.mashen...@gmail.com>
> > > wrote:
> > >
> > >> Val,
> > >>
> > >> I've just found Maven projects use SHA-512.
> > >> I passed through commits and found they just switched to newer parent
> > >> org.apache:apache pom.
> > >> I've compared our current parent pom with the latest available one
> > >> (org.apache:apache:16 vs org.apache:apache:23)
> > >> and then found checksum-maven-plugin was added [1] somewhen in
> between.
> > >>
> > >> So, seems we have to switched to newer apache pom and maybe add
> > >> checksum-maven-plugin
> > >> to our main pom.
> > >>
> > >> [1]
> > >>
> > >>
> >
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> > >>
> > >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> > >> valentin.kuliche...@gmail.com> wrote:
> > >>
> > >>> Hi Andrey,
> > >>>
> > >>> This indeed sounds like the cleanest way. I don't know how much
> effort
> > >> that
> > >>> would be though.
> > >>>
> > >>> -Val
> > >>>
> > >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > >>> andrey.mashen...@gmail.com> wrote:
> > >>>
> >  Maybe, we could donate to maven plugin possibility to switch to
> > >> SHA-512.
> >  Hopefully, a new plugin version will be released before we have any
> > >>> release
> >  candidate.
> > 
> >  Is it looks like a big deal?
> > 
> >  ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> >  valentin.kuliche...@gmail.com>:
> > 
> > > Hi Ivan,
> > >
> > > No, I haven't found a way yet. SHA1 still works, but I believe we
> > >>> should
> > > consider using better options in future releases.
> > >
> > > Do you have any ideas on how to implement this?
> > >
> > > -Val
> > >
> > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin <
> vololo...@gmail.com>
> > > wrote:
> > >
> > >> Folks,
> > >>
> > >> Were you able to resolve this?
> > >>
> > >> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > >> valentin.kuliche...@gmail.com>:
> > >>> Hi Ivan,
> > >>>
> > >>> Thanks for your response. I've looked into the PGP plugin, and
> > >>> unfortunately it looks like it only can create signatures, but
> > >> not
> > >>> checksums.
> > >>>
> > >>> -Val
> > >>>
> > >>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> >  bessonov...@gmail.com>
> > >>> wrote:
> > >>>
> >  Hi,
> > 
> >  I've never done this before, but it seems like we need
> > > maven-gpg-plugin
> >  for
> >  it [1].
> > 
> >  Algorithm configuration would look like this:
> >  
> > --digest-algo=SHA512
> >  
> > 
> >  Maybe this will help.
> > 
> >  [1]
> > 
> > 
> > >>
> > >
> > 
> > >>>
> > >>
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > 
> >  пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> >  valentin.kuliche...@gmail.com>:
> > 
> > > Igniters,
> > >
> > > I've been preparing the 3.0.0-alpha1 release and got confused
> >  about
> > >> the
> > > requirements for checksums in Maven deployments. The Apache
> > >> instruction
> >  [1]
> > > states that MD5 is deprecated and SHA1 should be avoided in
> > >>> favor
> >  of
> > > SHA-256 or SHA-512. However, it looks like we are still using
> > >>> the
> >  MD5/SHA1
> > > combination (at least

Re: SHA-512 for Maven deployment

2021-01-14 Thread Andrey Mashenkov 
I've made "mvn clean install" with enabled "apache-release" profile and see
*.sha-512 checksum files in target directories.
So, upgrading to the latest apache parent looks sufficient.


On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov  wrote:

> Is seems that parent is already updated in
> https://issues.apache.org/jira/browse/IGNITE-13987 <
> https://issues.apache.org/jira/browse/IGNITE-13987>
>
>
>
> > On 14 Jan 2021, at 01:57, Valentin Kulichenko <
> valentin.kuliche...@gmail.com> wrote:
> >
> > Andrey,
> >
> > This sounds even better. Can you create a ticket for this change?
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov <
> andrey.mashen...@gmail.com>
> > wrote:
> >
> >> Val,
> >>
> >> I've just found Maven projects use SHA-512.
> >> I passed through commits and found they just switched to newer parent
> >> org.apache:apache pom.
> >> I've compared our current parent pom with the latest available one
> >> (org.apache:apache:16 vs org.apache:apache:23)
> >> and then found checksum-maven-plugin was added [1] somewhen in between.
> >>
> >> So, seems we have to switched to newer apache pom and maybe add
> >> checksum-maven-plugin
> >> to our main pom.
> >>
> >> [1]
> >>
> >>
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
> >>
> >> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> >> valentin.kuliche...@gmail.com> wrote:
> >>
> >>> Hi Andrey,
> >>>
> >>> This indeed sounds like the cleanest way. I don't know how much effort
> >> that
> >>> would be though.
> >>>
> >>> -Val
> >>>
> >>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> >>> andrey.mashen...@gmail.com> wrote:
> >>>
>  Maybe, we could donate to maven plugin possibility to switch to
> >> SHA-512.
>  Hopefully, a new plugin version will be released before we have any
> >>> release
>  candidate.
> 
>  Is it looks like a big deal?
> 
>  ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
>  valentin.kuliche...@gmail.com>:
> 
> > Hi Ivan,
> >
> > No, I haven't found a way yet. SHA1 still works, but I believe we
> >>> should
> > consider using better options in future releases.
> >
> > Do you have any ideas on how to implement this?
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> > wrote:
> >
> >> Folks,
> >>
> >> Were you able to resolve this?
> >>
> >> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> >> valentin.kuliche...@gmail.com>:
> >>> Hi Ivan,
> >>>
> >>> Thanks for your response. I've looked into the PGP plugin, and
> >>> unfortunately it looks like it only can create signatures, but
> >> not
> >>> checksums.
> >>>
> >>> -Val
> >>>
> >>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
>  bessonov...@gmail.com>
> >>> wrote:
> >>>
>  Hi,
> 
>  I've never done this before, but it seems like we need
> > maven-gpg-plugin
>  for
>  it [1].
> 
>  Algorithm configuration would look like this:
>  
> --digest-algo=SHA512
>  
> 
>  Maybe this will help.
> 
>  [1]
> 
> 
> >>
> >
> 
> >>>
> >>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> 
>  пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>  valentin.kuliche...@gmail.com>:
> 
> > Igniters,
> >
> > I've been preparing the 3.0.0-alpha1 release and got confused
>  about
> >> the
> > requirements for checksums in Maven deployments. The Apache
> >> instruction
>  [1]
> > states that MD5 is deprecated and SHA1 should be avoided in
> >>> favor
>  of
> > SHA-256 or SHA-512. However, it looks like we are still using
> >>> the
>  MD5/SHA1
> > combination (at least that's what the staging for 2.9.1 [2]
> > contains).
> >
> > On top of that, I can't find an easy way to switch to another
> > checksum
> > -
> > Maven deploy plugin [3] creates MD5 and SHA1 files
> >> automatically
>  and
> > doesn't seem to have any options to tweak this behavior.
> >
> > That said, I have two questions:
> >
> >   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >   2. Is there a painless way to include SHA512 in addition to
> > MD5/SHA1?
> >
> > Can anyone shed some light on this?
> >
> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > [2]
> >
> >
> 
> >>
> >
> 
> >>>
> >>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > [3]
> 
>

Re: SHA-512 for Maven deployment

2021-01-14 Thread Petr Ivanov 
Is seems that parent is already updated in 
https://issues.apache.org/jira/browse/IGNITE-13987 




> On 14 Jan 2021, at 01:57, Valentin Kulichenko  
> wrote:
> 
> Andrey,
> 
> This sounds even better. Can you create a ticket for this change?
> 
> -Val
> 
> On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov 
> wrote:
> 
>> Val,
>> 
>> I've just found Maven projects use SHA-512.
>> I passed through commits and found they just switched to newer parent
>> org.apache:apache pom.
>> I've compared our current parent pom with the latest available one
>> (org.apache:apache:16 vs org.apache:apache:23)
>> and then found checksum-maven-plugin was added [1] somewhen in between.
>> 
>> So, seems we have to switched to newer apache pom and maybe add
>> checksum-maven-plugin
>> to our main pom.
>> 
>> [1]
>> 
>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>> 
>> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
>> valentin.kuliche...@gmail.com> wrote:
>> 
>>> Hi Andrey,
>>> 
>>> This indeed sounds like the cleanest way. I don't know how much effort
>> that
>>> would be though.
>>> 
>>> -Val
>>> 
>>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
>>> andrey.mashen...@gmail.com> wrote:
>>> 
 Maybe, we could donate to maven plugin possibility to switch to
>> SHA-512.
 Hopefully, a new plugin version will be released before we have any
>>> release
 candidate.
 
 Is it looks like a big deal?
 
 ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
 valentin.kuliche...@gmail.com>:
 
> Hi Ivan,
> 
> No, I haven't found a way yet. SHA1 still works, but I believe we
>>> should
> consider using better options in future releases.
> 
> Do you have any ideas on how to implement this?
> 
> -Val
> 
> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> wrote:
> 
>> Folks,
>> 
>> Were you able to resolve this?
>> 
>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
>> valentin.kuliche...@gmail.com>:
>>> Hi Ivan,
>>> 
>>> Thanks for your response. I've looked into the PGP plugin, and
>>> unfortunately it looks like it only can create signatures, but
>> not
>>> checksums.
>>> 
>>> -Val
>>> 
>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
 bessonov...@gmail.com>
>>> wrote:
>>> 
 Hi,
 
 I've never done this before, but it seems like we need
> maven-gpg-plugin
 for
 it [1].
 
 Algorithm configuration would look like this:
 
--digest-algo=SHA512
 
 
 Maybe this will help.
 
 [1]
 
 
>> 
> 
 
>>> 
>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
 
 пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
 valentin.kuliche...@gmail.com>:
 
> Igniters,
> 
> I've been preparing the 3.0.0-alpha1 release and got confused
 about
>> the
> requirements for checksums in Maven deployments. The Apache
>> instruction
 [1]
> states that MD5 is deprecated and SHA1 should be avoided in
>>> favor
 of
> SHA-256 or SHA-512. However, it looks like we are still using
>>> the
 MD5/SHA1
> combination (at least that's what the staging for 2.9.1 [2]
> contains).
> 
> On top of that, I can't find an easy way to switch to another
> checksum
> -
> Maven deploy plugin [3] creates MD5 and SHA1 files
>> automatically
 and
> doesn't seem to have any options to tweak this behavior.
> 
> That said, I have two questions:
> 
>   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>   2. Is there a painless way to include SHA512 in addition to
> MD5/SHA1?
> 
> Can anyone shed some light on this?
> 
> [1] https://infra.apache.org/release-signing.html#basic-facts
> [2]
> 
> 
 
>> 
> 
 
>>> 
>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> [3]
 
 https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> 
> -Val
> 
 
 
 --
 Sincerely yours,
 Ivan Bessonov
 
>>> 
>> 
>> 
>> --
>> 
>> Best regards,
>> Ivan Pavlukhin
>> 
> 
 
>>> 
>> 
>> 
>> --
>> Best regards,
>> Andrey V. Mashenkov
>>

Re: SHA-512 for Maven deployment

2021-01-13 Thread Valentin Kulichenko 
Andrey,

This sounds even better. Can you create a ticket for this change?

-Val

On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov 
wrote:

> Val,
>
> I've just found Maven projects use SHA-512.
> I passed through commits and found they just switched to newer parent
> org.apache:apache pom.
> I've compared our current parent pom with the latest available one
> (org.apache:apache:16 vs org.apache:apache:23)
> and then found checksum-maven-plugin was added [1] somewhen in between.
>
> So, seems we have to switched to newer apache pom and maybe add
> checksum-maven-plugin
> to our main pom.
>
> [1]
>
> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a
>
> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
> valentin.kuliche...@gmail.com> wrote:
>
> > Hi Andrey,
> >
> > This indeed sounds like the cleanest way. I don't know how much effort
> that
> > would be though.
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> > andrey.mashen...@gmail.com> wrote:
> >
> > > Maybe, we could donate to maven plugin possibility to switch to
> SHA-512.
> > > Hopefully, a new plugin version will be released before we have any
> > release
> > > candidate.
> > >
> > > Is it looks like a big deal?
> > >
> > > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > > valentin.kuliche...@gmail.com>:
> > >
> > > > Hi Ivan,
> > > >
> > > > No, I haven't found a way yet. SHA1 still works, but I believe we
> > should
> > > > consider using better options in future releases.
> > > >
> > > > Do you have any ideas on how to implement this?
> > > >
> > > > -Val
> > > >
> > > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> > > > wrote:
> > > >
> > > > > Folks,
> > > > >
> > > > > Were you able to resolve this?
> > > > >
> > > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > > > valentin.kuliche...@gmail.com>:
> > > > > > Hi Ivan,
> > > > > >
> > > > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > > > unfortunately it looks like it only can create signatures, but
> not
> > > > > > checksums.
> > > > > >
> > > > > > -Val
> > > > > >
> > > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > > bessonov...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > >> Hi,
> > > > > >>
> > > > > >> I've never done this before, but it seems like we need
> > > > maven-gpg-plugin
> > > > > >> for
> > > > > >> it [1].
> > > > > >>
> > > > > >> Algorithm configuration would look like this:
> > > > > >> 
> > > > > >> --digest-algo=SHA512
> > > > > >> 
> > > > > >>
> > > > > >> Maybe this will help.
> > > > > >>
> > > > > >> [1]
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > > > >>
> > > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > > > >> valentin.kuliche...@gmail.com>:
> > > > > >>
> > > > > >> > Igniters,
> > > > > >> >
> > > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> > > about
> > > > > the
> > > > > >> > requirements for checksums in Maven deployments. The Apache
> > > > > instruction
> > > > > >> [1]
> > > > > >> > states that MD5 is deprecated and SHA1 should be avoided in
> > favor
> > > of
> > > > > >> > SHA-256 or SHA-512. However, it looks like we are still using
> > the
> > > > > >> MD5/SHA1
> > > > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > > > contains).
> > > > > >> >
> > > > > >> > On top of that, I can't find an easy way to switch to another
> > > > checksum
> > > > > >> > -
> > > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files
> automatically
> > > and
> > > > > >> > doesn't seem to have any options to tweak this behavior.
> > > > > >> >
> > > > > >> > That said, I have two questions:
> > > > > >> >
> > > > > >> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > > > >> >2. Is there a painless way to include SHA512 in addition to
> > > > > >> > MD5/SHA1?
> > > > > >> >
> > > > > >> > Can anyone shed some light on this?
> > > > > >> >
> > > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > > > >> > [2]
> > > > > >> >
> > > > > >> >
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > > > >> > [3]
> > > > > >>
> > > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > > > >> >
> > > > > >> > -Val
> > > > > >> >
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> Sincerely yours,
> > > > > >> Ivan Bessonov
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Best regards,
> > > > > Ivan Pavlukhin
> > > > >
> > > >
> > >
> >
>
>
> --
> Best regards,
> Andrey V. Mashenkov
>

Re: SHA-512 for Maven deployment

2021-01-13 Thread Andrey Mashenkov 
Val,

I've just found Maven projects use SHA-512.
I passed through commits and found they just switched to newer parent
org.apache:apache pom.
I've compared our current parent pom with the latest available one
(org.apache:apache:16 vs org.apache:apache:23)
and then found checksum-maven-plugin was added [1] somewhen in between.

So, seems we have to switched to newer apache pom and maybe add
checksum-maven-plugin
to our main pom.

[1]
https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a

On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko <
valentin.kuliche...@gmail.com> wrote:

> Hi Andrey,
>
> This indeed sounds like the cleanest way. I don't know how much effort that
> would be though.
>
> -Val
>
> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
> andrey.mashen...@gmail.com> wrote:
>
> > Maybe, we could donate to maven plugin possibility to switch to SHA-512.
> > Hopefully, a new plugin version will be released before we have any
> release
> > candidate.
> >
> > Is it looks like a big deal?
> >
> > ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> > valentin.kuliche...@gmail.com>:
> >
> > > Hi Ivan,
> > >
> > > No, I haven't found a way yet. SHA1 still works, but I believe we
> should
> > > consider using better options in future releases.
> > >
> > > Do you have any ideas on how to implement this?
> > >
> > > -Val
> > >
> > > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> > > wrote:
> > >
> > > > Folks,
> > > >
> > > > Were you able to resolve this?
> > > >
> > > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > > valentin.kuliche...@gmail.com>:
> > > > > Hi Ivan,
> > > > >
> > > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > > unfortunately it looks like it only can create signatures, but not
> > > > > checksums.
> > > > >
> > > > > -Val
> > > > >
> > > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> > bessonov...@gmail.com>
> > > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> I've never done this before, but it seems like we need
> > > maven-gpg-plugin
> > > > >> for
> > > > >> it [1].
> > > > >>
> > > > >> Algorithm configuration would look like this:
> > > > >> 
> > > > >> --digest-algo=SHA512
> > > > >> 
> > > > >>
> > > > >> Maybe this will help.
> > > > >>
> > > > >> [1]
> > > > >>
> > > > >>
> > > >
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > > >>
> > > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > > >> valentin.kuliche...@gmail.com>:
> > > > >>
> > > > >> > Igniters,
> > > > >> >
> > > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> > about
> > > > the
> > > > >> > requirements for checksums in Maven deployments. The Apache
> > > > instruction
> > > > >> [1]
> > > > >> > states that MD5 is deprecated and SHA1 should be avoided in
> favor
> > of
> > > > >> > SHA-256 or SHA-512. However, it looks like we are still using
> the
> > > > >> MD5/SHA1
> > > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > > contains).
> > > > >> >
> > > > >> > On top of that, I can't find an easy way to switch to another
> > > checksum
> > > > >> > -
> > > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically
> > and
> > > > >> > doesn't seem to have any options to tweak this behavior.
> > > > >> >
> > > > >> > That said, I have two questions:
> > > > >> >
> > > > >> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > > >> >2. Is there a painless way to include SHA512 in addition to
> > > > >> > MD5/SHA1?
> > > > >> >
> > > > >> > Can anyone shed some light on this?
> > > > >> >
> > > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > > >> > [2]
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > > >> > [3]
> > > > >>
> > https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > > >> >
> > > > >> > -Val
> > > > >> >
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Sincerely yours,
> > > > >> Ivan Bessonov
> > > > >>
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Best regards,
> > > > Ivan Pavlukhin
> > > >
> > >
> >
>


-- 
Best regards,
Andrey V. Mashenkov

Re: SHA-512 for Maven deployment

2021-01-13 Thread Valentin Kulichenko 
Hi Andrey,

This indeed sounds like the cleanest way. I don't know how much effort that
would be though.

-Val

On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov <
andrey.mashen...@gmail.com> wrote:

> Maybe, we could donate to maven plugin possibility to switch to SHA-512.
> Hopefully, a new plugin version will be released before we have any release
> candidate.
>
> Is it looks like a big deal?
>
> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
> valentin.kuliche...@gmail.com>:
>
> > Hi Ivan,
> >
> > No, I haven't found a way yet. SHA1 still works, but I believe we should
> > consider using better options in future releases.
> >
> > Do you have any ideas on how to implement this?
> >
> > -Val
> >
> > On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> > wrote:
> >
> > > Folks,
> > >
> > > Were you able to resolve this?
> > >
> > > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > > valentin.kuliche...@gmail.com>:
> > > > Hi Ivan,
> > > >
> > > > Thanks for your response. I've looked into the PGP plugin, and
> > > > unfortunately it looks like it only can create signatures, but not
> > > > checksums.
> > > >
> > > > -Val
> > > >
> > > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov <
> bessonov...@gmail.com>
> > > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> I've never done this before, but it seems like we need
> > maven-gpg-plugin
> > > >> for
> > > >> it [1].
> > > >>
> > > >> Algorithm configuration would look like this:
> > > >> 
> > > >> --digest-algo=SHA512
> > > >> 
> > > >>
> > > >> Maybe this will help.
> > > >>
> > > >> [1]
> > > >>
> > > >>
> > >
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > > >>
> > > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > > >> valentin.kuliche...@gmail.com>:
> > > >>
> > > >> > Igniters,
> > > >> >
> > > >> > I've been preparing the 3.0.0-alpha1 release and got confused
> about
> > > the
> > > >> > requirements for checksums in Maven deployments. The Apache
> > > instruction
> > > >> [1]
> > > >> > states that MD5 is deprecated and SHA1 should be avoided in favor
> of
> > > >> > SHA-256 or SHA-512. However, it looks like we are still using the
> > > >> MD5/SHA1
> > > >> > combination (at least that's what the staging for 2.9.1 [2]
> > contains).
> > > >> >
> > > >> > On top of that, I can't find an easy way to switch to another
> > checksum
> > > >> > -
> > > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically
> and
> > > >> > doesn't seem to have any options to tweak this behavior.
> > > >> >
> > > >> > That said, I have two questions:
> > > >> >
> > > >> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > > >> >2. Is there a painless way to include SHA512 in addition to
> > > >> > MD5/SHA1?
> > > >> >
> > > >> > Can anyone shed some light on this?
> > > >> >
> > > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > > >> > [2]
> > > >> >
> > > >> >
> > > >>
> > >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > > >> > [3]
> > > >>
> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > > >> >
> > > >> > -Val
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> Sincerely yours,
> > > >> Ivan Bessonov
> > > >>
> > > >
> > >
> > >
> > > --
> > >
> > > Best regards,
> > > Ivan Pavlukhin
> > >
> >
>

Re: SHA-512 for Maven deployment

2021-01-13 Thread Andrey Mashenkov 
Maybe, we could donate to maven plugin possibility to switch to SHA-512.
Hopefully, a new plugin version will be released before we have any release
candidate.

Is it looks like a big deal?

ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko <
valentin.kuliche...@gmail.com>:

> Hi Ivan,
>
> No, I haven't found a way yet. SHA1 still works, but I believe we should
> consider using better options in future releases.
>
> Do you have any ideas on how to implement this?
>
> -Val
>
> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin 
> wrote:
>
> > Folks,
> >
> > Were you able to resolve this?
> >
> > 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> > valentin.kuliche...@gmail.com>:
> > > Hi Ivan,
> > >
> > > Thanks for your response. I've looked into the PGP plugin, and
> > > unfortunately it looks like it only can create signatures, but not
> > > checksums.
> > >
> > > -Val
> > >
> > > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov 
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> I've never done this before, but it seems like we need
> maven-gpg-plugin
> > >> for
> > >> it [1].
> > >>
> > >> Algorithm configuration would look like this:
> > >> 
> > >> --digest-algo=SHA512
> > >> 
> > >>
> > >> Maybe this will help.
> > >>
> > >> [1]
> > >>
> > >>
> >
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> > >>
> > >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> > >> valentin.kuliche...@gmail.com>:
> > >>
> > >> > Igniters,
> > >> >
> > >> > I've been preparing the 3.0.0-alpha1 release and got confused about
> > the
> > >> > requirements for checksums in Maven deployments. The Apache
> > instruction
> > >> [1]
> > >> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> > >> > SHA-256 or SHA-512. However, it looks like we are still using the
> > >> MD5/SHA1
> > >> > combination (at least that's what the staging for 2.9.1 [2]
> contains).
> > >> >
> > >> > On top of that, I can't find an easy way to switch to another
> checksum
> > >> > -
> > >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> > >> > doesn't seem to have any options to tweak this behavior.
> > >> >
> > >> > That said, I have two questions:
> > >> >
> > >> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> > >> >2. Is there a painless way to include SHA512 in addition to
> > >> > MD5/SHA1?
> > >> >
> > >> > Can anyone shed some light on this?
> > >> >
> > >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > >> > [2]
> > >> >
> > >> >
> > >>
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > >> > [3]
> > >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> > >> >
> > >> > -Val
> > >> >
> > >>
> > >>
> > >> --
> > >> Sincerely yours,
> > >> Ivan Bessonov
> > >>
> > >
> >
> >
> > --
> >
> > Best regards,
> > Ivan Pavlukhin
> >
>

Re: SHA-512 for Maven deployment

2021-01-13 Thread Valentin Kulichenko 
Hi Ivan,

No, I haven't found a way yet. SHA1 still works, but I believe we should
consider using better options in future releases.

Do you have any ideas on how to implement this?

-Val

On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin  wrote:

> Folks,
>
> Were you able to resolve this?
>
> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko <
> valentin.kuliche...@gmail.com>:
> > Hi Ivan,
> >
> > Thanks for your response. I've looked into the PGP plugin, and
> > unfortunately it looks like it only can create signatures, but not
> > checksums.
> >
> > -Val
> >
> > On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov 
> > wrote:
> >
> >> Hi,
> >>
> >> I've never done this before, but it seems like we need maven-gpg-plugin
> >> for
> >> it [1].
> >>
> >> Algorithm configuration would look like this:
> >> 
> >> --digest-algo=SHA512
> >> 
> >>
> >> Maybe this will help.
> >>
> >> [1]
> >>
> >>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
> >>
> >> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> >> valentin.kuliche...@gmail.com>:
> >>
> >> > Igniters,
> >> >
> >> > I've been preparing the 3.0.0-alpha1 release and got confused about
> the
> >> > requirements for checksums in Maven deployments. The Apache
> instruction
> >> [1]
> >> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> >> > SHA-256 or SHA-512. However, it looks like we are still using the
> >> MD5/SHA1
> >> > combination (at least that's what the staging for 2.9.1 [2] contains).
> >> >
> >> > On top of that, I can't find an easy way to switch to another checksum
> >> > -
> >> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> >> > doesn't seem to have any options to tweak this behavior.
> >> >
> >> > That said, I have two questions:
> >> >
> >> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >> >2. Is there a painless way to include SHA512 in addition to
> >> > MD5/SHA1?
> >> >
> >> > Can anyone shed some light on this?
> >> >
> >> > [1] https://infra.apache.org/release-signing.html#basic-facts
> >> > [2]
> >> >
> >> >
> >>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> >> > [3]
> >> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> >> >
> >> > -Val
> >> >
> >>
> >>
> >> --
> >> Sincerely yours,
> >> Ivan Bessonov
> >>
> >
>
>
> --
>
> Best regards,
> Ivan Pavlukhin
>

Re: SHA-512 for Maven deployment

2021-01-13 Thread Ivan Pavlukhin 
Folks,

Were you able to resolve this?

2020-12-28 22:15 GMT+03:00, Valentin Kulichenko :
> Hi Ivan,
>
> Thanks for your response. I've looked into the PGP plugin, and
> unfortunately it looks like it only can create signatures, but not
> checksums.
>
> -Val
>
> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov 
> wrote:
>
>> Hi,
>>
>> I've never done this before, but it seems like we need maven-gpg-plugin
>> for
>> it [1].
>>
>> Algorithm configuration would look like this:
>> 
>> --digest-algo=SHA512
>> 
>>
>> Maybe this will help.
>>
>> [1]
>>
>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>>
>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
>> valentin.kuliche...@gmail.com>:
>>
>> > Igniters,
>> >
>> > I've been preparing the 3.0.0-alpha1 release and got confused about the
>> > requirements for checksums in Maven deployments. The Apache instruction
>> [1]
>> > states that MD5 is deprecated and SHA1 should be avoided in favor of
>> > SHA-256 or SHA-512. However, it looks like we are still using the
>> MD5/SHA1
>> > combination (at least that's what the staging for 2.9.1 [2] contains).
>> >
>> > On top of that, I can't find an easy way to switch to another checksum
>> > -
>> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
>> > doesn't seem to have any options to tweak this behavior.
>> >
>> > That said, I have two questions:
>> >
>> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>> >2. Is there a painless way to include SHA512 in addition to
>> > MD5/SHA1?
>> >
>> > Can anyone shed some light on this?
>> >
>> > [1] https://infra.apache.org/release-signing.html#basic-facts
>> > [2]
>> >
>> >
>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
>> > [3]
>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>> >
>> > -Val
>> >
>>
>>
>> --
>> Sincerely yours,
>> Ivan Bessonov
>>
>


-- 

Best regards,
Ivan Pavlukhin

Re: SHA-512 for Maven deployment

2020-12-28 Thread Valentin Kulichenko 
Hi Ivan,

Thanks for your response. I've looked into the PGP plugin, and
unfortunately it looks like it only can create signatures, but not
checksums.

-Val

On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov 
wrote:

> Hi,
>
> I've never done this before, but it seems like we need maven-gpg-plugin for
> it [1].
>
> Algorithm configuration would look like this:
> 
> --digest-algo=SHA512
> 
>
> Maybe this will help.
>
> [1]
>
> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html
>
> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
> valentin.kuliche...@gmail.com>:
>
> > Igniters,
> >
> > I've been preparing the 3.0.0-alpha1 release and got confused about the
> > requirements for checksums in Maven deployments. The Apache instruction
> [1]
> > states that MD5 is deprecated and SHA1 should be avoided in favor of
> > SHA-256 or SHA-512. However, it looks like we are still using the
> MD5/SHA1
> > combination (at least that's what the staging for 2.9.1 [2] contains).
> >
> > On top of that, I can't find an easy way to switch to another checksum -
> > Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> > doesn't seem to have any options to tweak this behavior.
> >
> > That said, I have two questions:
> >
> >1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
> >2. Is there a painless way to include SHA512 in addition to MD5/SHA1?
> >
> > Can anyone shed some light on this?
> >
> > [1] https://infra.apache.org/release-signing.html#basic-facts
> > [2]
> >
> >
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> > [3]
> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
> >
> > -Val
> >
>
>
> --
> Sincerely yours,
> Ivan Bessonov
>

Re: SHA-512 for Maven deployment

2020-12-27 Thread Ivan Bessonov 
Hi,

I've never done this before, but it seems like we need maven-gpg-plugin for
it [1].

Algorithm configuration would look like this:

--digest-algo=SHA512


Maybe this will help.

[1]
http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html

пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko <
valentin.kuliche...@gmail.com>:

> Igniters,
>
> I've been preparing the 3.0.0-alpha1 release and got confused about the
> requirements for checksums in Maven deployments. The Apache instruction [1]
> states that MD5 is deprecated and SHA1 should be avoided in favor of
> SHA-256 or SHA-512. However, it looks like we are still using the MD5/SHA1
> combination (at least that's what the staging for 2.9.1 [2] contains).
>
> On top of that, I can't find an easy way to switch to another checksum -
> Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
> doesn't seem to have any options to tweak this behavior.
>
> That said, I have two questions:
>
>1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
>2. Is there a painless way to include SHA512 in addition to MD5/SHA1?
>
> Can anyone shed some light on this?
>
> [1] https://infra.apache.org/release-signing.html#basic-facts
> [2]
>
> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
> [3] https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html
>
> -Val
>


-- 
Sincerely yours,
Ivan Bessonov

SHA-512 for Maven deployment

2020-12-27 Thread Valentin Kulichenko 
Igniters,

I've been preparing the 3.0.0-alpha1 release and got confused about the
requirements for checksums in Maven deployments. The Apache instruction [1]
states that MD5 is deprecated and SHA1 should be avoided in favor of
SHA-256 or SHA-512. However, it looks like we are still using the MD5/SHA1
combination (at least that's what the staging for 2.9.1 [2] contains).

On top of that, I can't find an easy way to switch to another checksum -
Maven deploy plugin [3] creates MD5 and SHA1 files automatically and
doesn't seem to have any options to tweak this behavior.

That said, I have two questions:

   1. Are we required to use SHA512 or MD5/SHA1 is OK for now?
   2. Is there a painless way to include SHA512 in addition to MD5/SHA1?

Can anyone shed some light on this?

[1] https://infra.apache.org/release-signing.html#basic-facts
[2]
https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/
[3] https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html

-Val