Re: eliminating MD5 and SHA1 signatures

2020-01-23 Thread Cédric Champeau 
Fwiw if you use Gradle 6+ it publishes sha256 and sha512 by default.

Le ven. 17 janv. 2020 à 21:51, leerho  a écrit :

> When I deploy to repository.apache.org
>  in addition to the .asc
> signatures, either the Maven deploy plugin or the repository always adds
> MD5 and SHA1 signatures as well.
>
> Is there a configuration somewhere that will eliminate these being added?
>
> Lee.
>

Re: eliminating MD5 and SHA1 signatures

2020-01-23 Thread Ted Dunning 
This is great.

Any chance to contribute this plugin to maven?



On Thu, Jan 23, 2020 at 12:30 PM Juan Pablo Santos Rodríguez <
juanpablo.san...@gmail.com> wrote:

> Hi,
>
> somewhat related to the question, and just in case anyone is interested,
> maven can be configured to generate the
> .asc and .sha512 files for all the build artifacts. At JSPWiki, we
> overwrite the checksum maven plugin configuration
> from the ASF parent pom to do this [#1]. When copying the release artifacts
> to dist.a.o we also copy these files
> over too, f.ex any subdirectory under [#2]. This makes [#3] a piece of cake
> :-)
>
>
> best regards,
> juan pablo
>
> [#1]: https://github.com/apache/jspwiki/blob/master/pom.xml#L610-L626
> [#2 ]:
> https://dist.apache.org/repos/dist/release/jspwiki
> [#3]: https://www.apache.org/dev/release-distribution#sigs-and-sums
>
> On Thu, Jan 23, 2020 at 9:19 AM Bertrand Delacretaz <
> bdelacre...@codeconsult.ch> wrote:
>
> > On Fri, Jan 17, 2020 at 9:51 PM leerho  wrote:
> > > ...either the Maven deploy plugin or the repository always adds
> > > MD5 and SHA1 signatures as well...
> >
> > FWIW, we'd like to stop using MD5 but I don't think we're there yet,
> > the following URLs have more info:
> >
> > http://www.apache.org/dev/release-distribution
> > https://issues.apache.org/jira/browse/INFRA-14923
> > https://issues.sonatype.org/browse/NEXUS-21802
> >
> > -Bertrand
> >
> > -
> > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> > For additional commands, e-mail: general-h...@incubator.apache.org
> >
> >
>

Re: eliminating MD5 and SHA1 signatures

2020-01-23 Thread Juan Pablo Santos Rodríguez 
Hi,

somewhat related to the question, and just in case anyone is interested,
maven can be configured to generate the
.asc and .sha512 files for all the build artifacts. At JSPWiki, we
overwrite the checksum maven plugin configuration
from the ASF parent pom to do this [#1]. When copying the release artifacts
to dist.a.o we also copy these files
over too, f.ex any subdirectory under [#2]. This makes [#3] a piece of cake
:-)


best regards,
juan pablo

[#1]: https://github.com/apache/jspwiki/blob/master/pom.xml#L610-L626
[#2]: https://dist.apache.org/repos/dist/release/jspwiki
[#3]: https://www.apache.org/dev/release-distribution#sigs-and-sums

On Thu, Jan 23, 2020 at 9:19 AM Bertrand Delacretaz <
bdelacre...@codeconsult.ch> wrote:

> On Fri, Jan 17, 2020 at 9:51 PM leerho  wrote:
> > ...either the Maven deploy plugin or the repository always adds
> > MD5 and SHA1 signatures as well...
>
> FWIW, we'd like to stop using MD5 but I don't think we're there yet,
> the following URLs have more info:
>
> http://www.apache.org/dev/release-distribution
> https://issues.apache.org/jira/browse/INFRA-14923
> https://issues.sonatype.org/browse/NEXUS-21802
>
> -Bertrand
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: eliminating MD5 and SHA1 signatures

2020-01-23 Thread Bertrand Delacretaz 
On Fri, Jan 17, 2020 at 9:51 PM leerho  wrote:
> ...either the Maven deploy plugin or the repository always adds
> MD5 and SHA1 signatures as well...

FWIW, we'd like to stop using MD5 but I don't think we're there yet,
the following URLs have more info:

http://www.apache.org/dev/release-distribution
https://issues.apache.org/jira/browse/INFRA-14923
https://issues.sonatype.org/browse/NEXUS-21802

-Bertrand

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: eliminating MD5 and SHA1 signatures

2020-01-22 Thread leerho 
Thank you for a very clear answer!

On Wed, Jan 22, 2020 at 11:57 AM Christopher  wrote:

> No. These are generated as part of Maven, and are described as part of
> the Maven2 repository layout[1]. They are (optionally) used by the
> artifact resolver in the Maven client to validate artifacts when they
> are retrieved from a server using the Maven2 repository layout.
>
> It's possible that the tooling will change over time to use newer
> hashes... but I would just ignore these, accepting them as part of the
> Maven tooling, and not necessary to interact with directly.
>
> [1]:
> https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final
>
> On Fri, Jan 17, 2020 at 3:51 PM leerho  wrote:
> >
> > When I deploy to repository.apache.org
> >  in addition to the .asc
> > signatures, either the Maven deploy plugin or the repository always adds
> > MD5 and SHA1 signatures as well.
> >
> > Is there a configuration somewhere that will eliminate these being added?
> >
> > Lee.
>
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
>

Re: eliminating MD5 and SHA1 signatures

2020-01-22 Thread Christopher 
No. These are generated as part of Maven, and are described as part of
the Maven2 repository layout[1]. They are (optionally) used by the
artifact resolver in the Maven client to validate artifacts when they
are retrieved from a server using the Maven2 repository layout.

It's possible that the tooling will change over time to use newer
hashes... but I would just ignore these, accepting them as part of the
Maven tooling, and not necessary to interact with directly.

[1]: 
https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final

On Fri, Jan 17, 2020 at 3:51 PM leerho  wrote:
>
> When I deploy to repository.apache.org
>  in addition to the .asc
> signatures, either the Maven deploy plugin or the repository always adds
> MD5 and SHA1 signatures as well.
>
> Is there a configuration somewhere that will eliminate these being added?
>
> Lee.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

eliminating MD5 and SHA1 signatures

2020-01-17 Thread leerho 
When I deploy to repository.apache.org
 in addition to the .asc
signatures, either the Maven deploy plugin or the repository always adds
MD5 and SHA1 signatures as well.

Is there a configuration somewhere that will eliminate these being added?

Lee.