Daniel Shahaf wrote:
> I don't know if the distinction between "the Subversion developers
> assessed SHA-1 as too weak" and "ASF Infra assessed SHA-1 as too weak"
> is important enough to be drawn in the release notes. The technical argument
> and end result are the same regardless of who made
Julian Foad wrote on Mon, 13 Aug 2018 15:28 +0100:
> Daniel Shahaf wrote:
> > Thank you! Documented in the 1.11 release notes in r1837957.
>
> Thanks. Maybe change the rationale:
>
> - We consider the SHA-1 cryptographic hash function too weak for our needs.
> + This change follows the ASF
Daniel Shahaf wrote:
> Thank you! Documented in the 1.11 release notes in r1837957.
Thanks. Maybe change the rationale:
- We consider the SHA-1 cryptographic hash function too weak for our needs.
+ This change follows the ASF release policy.
?
--
- Julian
Julian Foad wrote on Mon, 13 Aug 2018 14:33 +0100:
> Daniel Shahaf wrote:
> > Daniel Shahaf wrote:
> > > Correct me if I'm wrong, but wouldn't reverting the first hunk of
> > > r1837939 and making it conditional upon [...]
> >
> > 'args.version < Version("1.11.0-alpha1")'.
>
> Thanks, Daniel.
Daniel Shahaf wrote:
> Daniel Shahaf wrote:
> > Correct me if I'm wrong, but wouldn't reverting the first hunk of
> > r1837939 and making it conditional upon [...]
>
> 'args.version < Version("1.11.0-alpha1")'.
Thanks, Daniel. Tested and committed in http://svn.apache.org/r1837946
--
- Julian
Daniel Shahaf wrote on Mon, 13 Aug 2018 12:54 +:
> Correct me if I'm wrong, but wouldn't reverting the first hunk of
> r1837939 and making it conditional upon a 'version < Version(1,11,0)'
Sorry, that would be a RuntimeError. The condition should be
'args.version < Version("1.11.0-alpha1")'.
Julian Foad wrote on Mon, 13 Aug 2018 13:32 +0100:
> Daniel Shahaf wrote:
> > Julian Foad wrote on Mon, 13 Aug 2018 12:59 +0100:
> > > * stop producing *.sha1 files and stop listing SHA1 on the 'downloads'
> > > page
> > >
> > > -- http://svn.apache.org/r1837939
> >
> > I was under the
Daniel Shahaf wrote:
> Julian Foad wrote on Mon, 13 Aug 2018 12:59 +0100:
> > * stop producing *.sha1 files and stop listing SHA1 on the 'downloads' page
> >
> > -- http://svn.apache.org/r1837939
>
> I was under the impression that we should keep producing *.sha1 files
> for 1.9 and 1.10
Julian Foad wrote on Mon, 13 Aug 2018 12:59 +0100:
> We "SHOULD NOT" any longer publish SHA1 checksums for new releases, according
> to
> https://www.apache.org/dev/release-distribution#sigs-and-sums
>
> So I have done this:
>
> * remove references to SHA1 from the documentation
>
> --
9 matches
Mail list logo
