You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@polygene.apache.org by Niclas Hedhman <he...@gmail.com> on 2017/08/16 09:00:31 UTC
Fwd: .sha Release Distribution Policy
Relevant?
---------- Forwarded message ----------
From: "Henk P. Penning" <pe...@uu.nl>
Date: Aug 16, 2017 10:56
Subject: .sha Release Distribution Policy
To: <he...@apache.org>
Cc:
Hi PMC,
The Release Distribution Policy[1] changed regarding .sha files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
Old policy :
-- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
New policy :
-- use .sha1 for a SHA-1 checksum
-- use .sha256 for a SHA-256 checksum
-- use .sha512 for a SHA-512 checksum
-- [*] .sha should contain a SHA-1
Why this change ?
-- Verifying a checksum under the old policy is/was not handy.
You have to inspect the .sha to find out which algorithm
should be used ; or try them all (SHA-1, SHA256, etc).
The new scheme avoids this ambiguity.
-- The last point[*] was only added for clarity. Most of the
old, stale .sha's contain a SHA-1. The relatively new .sha's
contain a SHA-512. The expectation is that the last catagory will
disappear, when active projects adapt to the 'new' convention.
Impact :
-- Should be none ; many projects already use the 'new' convention.
-- Please ask your release managers to use .sha1, .sha256, .sha512
instead of the .sha extension.
-- Please fix your build-tools if you have any.
Piggyback :
-- The policy requires a .md5 for every package ;
providing a .sha512 is recommended.
Since MD5 is essentially broken, it is to be expected that
in the future a .sha512 will be required.
Perhaps it is wize to start providing .sha512's
with your releases if you do not already do so.
-- Visit http://mirror-vm.apache.org/checker/
to check the health of your /dist/-area ;
my stuff ; any feedback is most welcome.
Thanks ; regards,
Henk Penning
[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums
------------------------------------------------------------
Henk P. Penning ; apache.org infrastructure volunteer.
henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
Re: Fwd: .sha Release Distribution Policy
Posted by Paul Merlin <pa...@nosphere.org>.
Le 16 août 2017 11:00:31 GMT+02:00, Niclas Hedhman <he...@gmail.com> a écrit :
>Relevant?
>---------- Forwarded message ----------
>From: "Henk P. Penning" <pe...@uu.nl>
>Date: Aug 16, 2017 10:56
>Subject: .sha Release Distribution Policy
>To: <he...@apache.org>
>Cc:
>
>Hi PMC,
>
> The Release Distribution Policy[1] changed regarding .sha files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
>
> Old policy :
>
> -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>
> New policy :
>
> -- use .sha1 for a SHA-1 checksum
> -- use .sha256 for a SHA-256 checksum
> -- use .sha512 for a SHA-512 checksum
> -- [*] .sha should contain a SHA-1
>
> Why this change ?
>
> -- Verifying a checksum under the old policy is/was not handy.
> You have to inspect the .sha to find out which algorithm
> should be used ; or try them all (SHA-1, SHA256, etc).
> The new scheme avoids this ambiguity.
> -- The last point[*] was only added for clarity. Most of the
> old, stale .sha's contain a SHA-1. The relatively new .sha's
> contain a SHA-512. The expectation is that the last catagory will
> disappear, when active projects adapt to the 'new' convention.
>
> Impact :
>
> -- Should be none ; many projects already use the 'new' convention.
> -- Please ask your release managers to use .sha1, .sha256, .sha512
> instead of the .sha extension.
> -- Please fix your build-tools if you have any.
>
> Piggyback :
>
> -- The policy requires a .md5 for every package ;
> providing a .sha512 is recommended.
> Since MD5 is essentially broken, it is to be expected that
> in the future a .sha512 will be required.
> Perhaps it is wize to start providing .sha512's
> with your releases if you do not already do so.
>
> -- Visit http://mirror-vm.apache.org/checker/
> to check the health of your /dist/-area ;
> my stuff ; any feedback is most welcome.
>
> Thanks ; regards,
>
> Henk Penning
>
> [1] http://www.apache.org/dev/release-distribution
> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>
>------------------------------------------------------------
>Henk P. Penning ; apache.org infrastructure volunteer.
>henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
Yes it is.
Actually we use a 'SHA-512' extension and we should change it to 'sha512' according to the new policy.
I'm on my phone, Niclas, would you mind creating an issue and assign it to me?