You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@polygene.apache.org by Niclas Hedhman <he...@gmail.com> on 2017/08/16 09:00:31 UTC

Fwd: .sha Release Distribution Policy

Relevant?
---------- Forwarded message ----------
From: "Henk P. Penning" <pe...@uu.nl>
Date: Aug 16, 2017 10:56
Subject: .sha Release Distribution Policy
To: <he...@apache.org>
Cc:

Hi PMC,

   The Release Distribution Policy[1] changed regarding .sha files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

  Old policy :

    -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)

  New policy :

     -- use .sha1 for a SHA-1 checksum
     -- use .sha256 for a SHA-256 checksum
     -- use .sha512 for a SHA-512 checksum
     -- [*] .sha should contain a SHA-1

  Why this change ?

     -- Verifying a checksum under the old policy is/was not handy.
        You have to inspect the .sha to find out which algorithm
        should be used ; or try them all (SHA-1, SHA256, etc).
        The new scheme avoids this ambiguity.
     -- The last point[*] was only added for clarity. Most of the
        old, stale .sha's contain a SHA-1. The relatively new .sha's
        contain a SHA-512. The expectation is that the last catagory will
        disappear, when active projects adapt to the 'new' convention.

  Impact :

     -- Should be none ; many projects already use the 'new' convention.
     -- Please ask your release managers to use .sha1, .sha256, .sha512
        instead of the .sha extension.
     -- Please fix your build-tools if you have any.

  Piggyback :

     -- The policy requires a .md5 for every package ;
        providing a .sha512 is recommended.
        Since MD5 is essentially broken, it is to be expected that
        in the future a .sha512 will be required.
        Perhaps it is wize to start providing .sha512's
        with your releases if you do not already do so.

     -- Visit http://mirror-vm.apache.org/checker/
        to check the health of your /dist/-area ;
        my stuff ; any feedback is most welcome.

  Thanks ; regards,

  Henk Penning

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

------------------------------------------------------------
Henk P. Penning ; apache.org infrastructure volunteer.
henkp@apache.org ; http://mirror-vm.apache.org/~henkp/

Re: Fwd: .sha Release Distribution Policy

Posted by Paul Merlin <pa...@nosphere.org>.

Le 16 août 2017 11:00:31 GMT+02:00, Niclas Hedhman <he...@gmail.com> a écrit :
>Relevant?
>---------- Forwarded message ----------
>From: "Henk P. Penning" <pe...@uu.nl>
>Date: Aug 16, 2017 10:56
>Subject: .sha Release Distribution Policy
>To: <he...@apache.org>
>Cc:
>
>Hi PMC,
>
>   The Release Distribution Policy[1] changed regarding .sha files.
>   See under "Cryptographic Signatures and Checksums Requirements" [2].
>
>  Old policy :
>
>   -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>
>  New policy :
>
>     -- use .sha1 for a SHA-1 checksum
>     -- use .sha256 for a SHA-256 checksum
>     -- use .sha512 for a SHA-512 checksum
>     -- [*] .sha should contain a SHA-1
>
>  Why this change ?
>
>     -- Verifying a checksum under the old policy is/was not handy.
>        You have to inspect the .sha to find out which algorithm
>        should be used ; or try them all (SHA-1, SHA256, etc).
>        The new scheme avoids this ambiguity.
>     -- The last point[*] was only added for clarity. Most of the
>        old, stale .sha's contain a SHA-1. The relatively new .sha's
>      contain a SHA-512. The expectation is that the last catagory will
>        disappear, when active projects adapt to the 'new' convention.
>
>  Impact :
>
>    -- Should be none ; many projects already use the 'new' convention.
>     -- Please ask your release managers to use .sha1, .sha256, .sha512
>        instead of the .sha extension.
>     -- Please fix your build-tools if you have any.
>
>  Piggyback :
>
>     -- The policy requires a .md5 for every package ;
>        providing a .sha512 is recommended.
>        Since MD5 is essentially broken, it is to be expected that
>        in the future a .sha512 will be required.
>        Perhaps it is wize to start providing .sha512's
>        with your releases if you do not already do so.
>
>     -- Visit http://mirror-vm.apache.org/checker/
>        to check the health of your /dist/-area ;
>        my stuff ; any feedback is most welcome.
>
>  Thanks ; regards,
>
>  Henk Penning
>
>   [1] http://www.apache.org/dev/release-distribution
>   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>
>------------------------------------------------------------
>Henk P. Penning ; apache.org infrastructure volunteer.
>henkp@apache.org ; http://mirror-vm.apache.org/~henkp/

Yes it is.

Actually we use a 'SHA-512' extension and we should change it to 'sha512' according to the new policy.

I'm on my phone, Niclas, would you mind creating an issue and assign it to me?