Sean Owen created SPARK-23601:
---------------------------------
Summary: Remove .md5 files from release
Key: SPARK-23601
URL: https://issues.apache.org/jira/browse/SPARK-23601
Project: Spark
Issue Type: Task
Components: Build
Affects Versions: 2.4.0
Reporter: Sean Owen
Assignee: Sean Owen
Per email from Henk to PMCs:
{code}
The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
MD5-file == a .md5 file
SHA-file == a .sha1, sha256 or .sha512 file
Old policy :
-- MUST provide a MD5-file
-- SHOULD provide a SHA-file [SHA-512 recommended]
New policy :
-- MUST provide a SHA- or MD5-file
-- SHOULD provide a SHA-file
-- SHOULD NOT provide a MD5-file
Providing MD5 checksum files is now discouraged for new releases,
but still allowed for past releases.
Why this change :
-- MD5 is broken for many purposes ; we should move away from it.
https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
Impact for PMCs :
-- for new releases :
-- please do provide a SHA-file (one or more, if you like)
-- do NOT provide a MD5-file
-- for past releases :
-- you are not required to change anything
-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
it would be nice if you removed the MD5-file
-- if, at the moment, you provide MD5-files,
please adjust your release tooling.
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
