[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470211#comment-17470211
]
Christopher Tubbs commented on MNG-6784:
There's also a related discussion on
https://github.com/apache/maven-apache-parent/pull/40 for MPOM, but the
conversation moved because a lot of it was out of scope of MPOM...
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470210#comment-17470210
]
Michael Osipov commented on MNG-6784:
-
[~ctubbsii], correct. Back then people requested Resolver to do that and I
refused because I consider those to be an implemenation detail of Resolver.
Therefore, this approach has been used. Obviously, we need to make a difference
for ALL Maven-based plugins in ASF. I think should be moved to MPOM.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470206#comment-17470206
]
Christopher Tubbs commented on MNG-6784:
If we're talking about the files generated by the plugin in MPOM, and not the
resolver stuff, then here's the related upstream ticket I filed awhile back:
https://github.com/nicoulaj/checksum-maven-plugin/issues/127
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470205#comment-17470205
]
Michael Osipov commented on MNG-6784:
-
http://checksum-maven-plugin.nicoulaj.net/ is used.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470204#comment-17470204
]
Michael Osipov commented on MNG-6784:
-
If this is going to change it should happen ASF wide, not just us.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470203#comment-17470203
]
Christopher Tubbs commented on MNG-6784:
I'm not sure if this issue is about the resolver, or about files produced by
some plugin for the release distribution area. In any case, I do think it would
make sense if anywhere these files were created, they wrote in a format that
included the filename, so it can be more easily verified with standard tooling.
It does no harm to include the filename, and makes it easier for anybody,
regardless of context to use a checksum file they encounter to verify the file
it accompanies.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470179#comment-17470179
]
Tamás Cservenák commented on MNG-6784:
--
And one more thing: re checksum content, there are (to me at least) 3 "formats"
known:
* resolver style {{checksum}} (just checksum in file)
* GNU style {{checksum filename}}
* BSD style {{alg(filename) = checksum}}
Resolver can READ all 3 types of checksum styles, but WRITES only the first
type.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470177#comment-17470177
]
Tamás Cservenák commented on MNG-6784:
--
Hm, after rereading original issue: "the created SHA512 which is used for the
distribution area" – is it maybe us misinterpreting this? As it is not resolver
that creates "checksum for the distribution area", is it? If it is, it is
wrong. If it is not, what does it create it?
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470175#comment-17470175
]
Tamás Cservenák commented on MNG-6784:
--
Agreed, please do not mix the two: md5/sha1 is used by resolver ONLY to
eliminate transport corruption (bitrot). While SHA1 (and MD5) are deprecated in
cryptography, this is not cryptography, just data integrity (and even today
many Linux/Unix use MD5 for same purpose). Also, see
[https://en.wikipedia.org/wiki/SHA-1] the "Data integrity" section.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17470088#comment-17470088
]
Michael Osipov commented on MNG-6784:
-
The linked paragraph by [~kwin], contains a lot of non-sense since checksum and
hash are used interchangeably which is wrong. All of the checksums we provide
are solely for the consumption of Resolver to detect bitrot. Nothing else.
[~cstamas]
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 4.0.x-candidate, wontfix-candidate
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17432942#comment-17432942
]
Christopher Tubbs commented on MNG-6784:
[~kwin] - The page you linked is an informational page, a "HOW TO" guide, not
policy. Even if it were ASF policy, nothing in that page describes any kind of
file format requirement, as far as I can tell. If you believe otherwise, please
cite the specific line.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 4.0.x-candidate, wontfix-candidate
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17431057#comment-17431057
]
Konrad Windszus commented on MNG-6784:
--
ASF requires raw hashes:
https://www.apache.org/info/verification.html#CheckingHashes
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 4.0.x-candidate, wontfix-candidate
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17417372#comment-17417372
]
Michael Osipov commented on MNG-6784:
-
Yet another ping...
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 4.0.x-candidate, wontfix-candidate
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17206649#comment-17206649
]
Michael Osipov commented on MNG-6784:
-
Can we close this?
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 3.7.0-candidate, wontfix-candidate
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (MNG-6784) Create correct SHA512 content
[
https://issues.apache.org/jira/browse/MNG-6784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16952077#comment-16952077
]
Michael Osipov commented on MNG-6784:
-
I concur to change this. Because this will deviate from the general habit we
provide checksum files. They contain the checksum only. There is no canoncial
checksum file format.
> Create correct SHA512 content
> -
>
> Key: MNG-6784
> URL: https://issues.apache.org/jira/browse/MNG-6784
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
>Affects Versions: 3.6.2
>Reporter: Karl Heinz Marbaise
>Priority: Minor
> Fix For: 3.6.3
>
>
> Currently the created SHA512 which is used for the distribution area contains
> only the checksum but not the filename which results in bad output if the
> checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA
> checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
