[ https://issues.apache.org/jira/browse/SPARK-23601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen resolved SPARK-23601. ------------------------------- Resolution: Fixed Fix Version/s: 2.4.0 2.3.1 Resolved by https://github.com/apache/spark/pull/20737 > Remove .md5 files from release > ------------------------------ > > Key: SPARK-23601 > URL: https://issues.apache.org/jira/browse/SPARK-23601 > Project: Spark > Issue Type: Task > Components: Build > Affects Versions: 2.4.0 > Reporter: Sean Owen > Assignee: Sean Owen > Priority: Minor > Fix For: 2.3.1, 2.4.0 > > > Per email from Henk to PMCs: > {code} > The Release Distribution Policy[1] changed regarding checksum files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > MD5-file == a .md5 file > SHA-file == a .sha1, sha256 or .sha512 file > Old policy : > -- MUST provide a MD5-file > -- SHOULD provide a SHA-file [SHA-512 recommended] > New policy : > -- MUST provide a SHA- or MD5-file > -- SHOULD provide a SHA-file > -- SHOULD NOT provide a MD5-file > Providing MD5 checksum files is now discouraged for new releases, > but still allowed for past releases. > Why this change : > -- MD5 is broken for many purposes ; we should move away from it. > https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues > Impact for PMCs : > -- for new releases : > -- please do provide a SHA-file (one or more, if you like) > -- do NOT provide a MD5-file > -- for past releases : > -- you are not required to change anything > -- for artifacts accompanied by a SHA-file /and/ a MD5-file, > it would be nice if you removed the MD5-file > -- if, at the moment, you provide MD5-files, > please adjust your release tooling. > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org