[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2020-06-07 Thread Konrad Windszus (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17127556#comment-17127556
 ] 

Konrad Windszus edited comment on SLING-7534 at 6/7/20, 3:57 PM:
-

Unfortunately Nexus does not seem to generate those new hashes yet: 
https://issues.apache.org/jira/browse/INFRA-14923?focusedCommentId=17127552&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17127552.
 Either we wait for a new ASF parent pom to fix this: 
https://issues.apache.org/jira/projects/MPOM/issues/MPOM-244 or fix our own 
parent meanwhile to generate the SHA512 in a directory which is staged. The 
question is for which artifacts we should generate those checksums.


was (Author: kwin):
Unfortunately Nexus does not seem to generate those new hashes yet: 
https://issues.apache.org/jira/browse/INFRA-14923?focusedCommentId=17127552&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17127552

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 40
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2020-05-22 Thread Konrad Windszus (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17113853#comment-17113853
 ] 

Konrad Windszus edited comment on SLING-7534 at 5/22/20, 8:42 AM:
--

{quote}I see that repository.apache.org is already on Nexus
{quote}
It always has been, but now on the latest version 2.14.18.
{quote}That means that the next release should generate the sha512 checksums as 
well.
{quote}
Yes, IIUC


was (Author: kwin):
bq. I see that repository.apache.org is already on Nexus
It always has been, but now on the latest version 2.134.18.

bq. That means that the next release should generate the sha512 checksums as 
well.
Yes, IIUC

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 40
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2020-05-22 Thread Konrad Windszus (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17113853#comment-17113853
 ] 

Konrad Windszus edited comment on SLING-7534 at 5/22/20, 8:39 AM:
--

bq. I see that repository.apache.org is already on Nexus
It always has been, but now on the latest version 2.134.18.

bq. That means that the next release should generate the sha512 checksums as 
well.
Yes, IIUC


was (Author: kwin):
> I see that repository.apache.org is already on Nexus
It always has been, but now on the latest version 2.134.18.

> That means that the next release should generate the sha512 checksums as well.
Yes, IIUC

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 40
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2020-05-21 Thread Konrad Windszus (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17113778#comment-17113778
 ] 

Konrad Windszus edited comment on SLING-7534 at 5/22/20, 6:10 AM:
--

Finally Nexus 2.14.18 has been released which creates sha512 checksums. We 
should download and verify those during the release check. Also we can upload 
those more easily to dist afterwards.

Regarding https://sling.apache.org/downloads.cgi, we first need to generate the 
checksums manually for all dist artifacts before we can adjust the links in 
https://github.com/apache/sling-site/blob/c42f72983684ae76344638b2aa7561cea66657e4/src/main/jbake/templates/downloads.tpl#L316
 to point to sha512 instead.


was (Author: kwin):
Finally Nexus 2.14.18 has been released which creates sha512 checksums. We 
should download and verify those during the release check.

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 40
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2018-10-26 Thread Konrad Windszus (JIRA) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665167#comment-16665167
 ] 

Konrad Windszus edited comment on SLING-7534 at 10/26/18 1:29 PM:
--

The most recent update to 
[https://www.apache.org/dev/release-distribution#sigs-and-sums] now states

{quote}
For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT 
supply MD5 or SHA-1. Existing releases do not need to be changed.
{quote}

Still we cannot use proper staging due to INFRA-14923.


was (Author: kwin):
The most recent update to 
[https://www.apache.org/dev/release-distribution#sigs-and-sums] now states

{quote}
For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT 
supply MD5 or SHA-1. Existing releases do not need to be changed.
{quote}

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 35
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 signatures

2018-09-03 Thread Konrad Windszus (JIRA) 


[ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16592868#comment-16592868
 ] 

Konrad Windszus edited comment on SLING-7534 at 9/3/18 4:35 PM:


As the first step I updated the ASF Parent Pom in the Sling Parent: 
https://github.com/apache/sling-parent/commit/8d1903a1189424c8ba8a8a110b2dd9d75a8744fe
Still missing: Update the necessary steps at 
http://sling.apache.org/documentation/development/release-management.html#promoting-the-release-1
 as now the dist should rather be based on the target directory than on the 
downloaded artifacts.

Update: Even the Maven team has not yet updated 
https://maven.apache.org/developers/release/maven-project-release-procedure.html#Copy_the_source_release_to_the_Apache_Distribution_Area,
 but I think now it is strictly required that someone builds the release 
version to have the sha512 file (as it is not part of the Maven Staging Repo).


was (Author: kwin):
As the first step I updated the ASF Parent Pom in the Sling Parent: 
https://github.com/apache/sling-parent/commit/8d1903a1189424c8ba8a8a110b2dd9d75a8744fe
Still missing: Update the necessary steps at 
http://sling.apache.org/documentation/development/release-management.html#promoting-the-release-1
 as now the dist should rather be based on the target directory than on the 
downloaded artifacts.

> Release policy - stop providing MD5 and start providing SHA-512 signatures
> --
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Priority: Major
> Fix For: Parent 35
>
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)