You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tinkerpop.apache.org by "Daniel Kuppitz (JIRA)" <ji...@apache.org> on 2018/03/09 15:32:00 UTC
[jira] [Commented] (TINKERPOP-1912) Remove MD5 checksums
[ https://issues.apache.org/jira/browse/TINKERPOP-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393008#comment-16393008 ]
Daniel Kuppitz commented on TINKERPOP-1912:
-------------------------------------------
I'll give this ticket a break as I'm kinda stuck. Here's what I did thus far and where I ran into problems.
First I added the {{checksum-maven-plugin}} and configured it to generate SHA-512 checksums for all artifacts. Unfortunately, these artifacts do not include the source release and I have no idea if there's a way to generate the source release zip file as part of the built so that it ends up being in the {{target/}} directory.
There are only a few steps in our release process, that require the artifacts and their respective checksums:
{noformat}
cp ~/.m2/repository/org/apache/tinkerpop/gremlin-console/xx.yy.zz/gremlin-console-xx.yy.zz-distribution.zip* dev/xx.yy.zz
cp ~/.m2/repository/org/apache/tinkerpop/gremlin-server/xx.yy.zz/gremlin-server-xx.yy.zz-distribution.zip* dev/xx.yy.zz
cp ~/.m2/repository/org/apache/tinkerpop/tinkerpop/xx.yy.zz/tinkerpop-xx.yy.zz-source-release.zip* dev/xx.yy.zz
{noformat}
The first 2 steps can easily be solved by this PR, as we can now get the artifacts and the checksum files from the respective {{target/}} directories. However, the source release zip file still only gets generated in {{.m2}} without the required SHA-512 checksum file.
*.m2 directories:*
{noformat}
daniel@cube ~/.m2 $ ls repository/org/apache/tinkerpop/{gremlin-console,gremlin-server,tinkerpop}/3.2.8-SNAPSHOT/*.zip*
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.asc
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.md5
repository/org/apache/tinkerpop/gremlin-console/3.2.8-SNAPSHOT/gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha1
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.asc
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.md5
repository/org/apache/tinkerpop/gremlin-server/3.2.8-SNAPSHOT/gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha1
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.asc
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.md5
repository/org/apache/tinkerpop/tinkerpop/3.2.8-SNAPSHOT/tinkerpop-3.2.8-SNAPSHOT-source-release.zip.sha1
{noformat}
*Local target directories:*
{noformat}
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ ll {gremlin-console,gremlin-server}/target/*distribution.zip*
-rw-r--r-- 1 daniel daniel 23979755 Mar 9 08:16 gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip
-rw-r--r-- 1 daniel daniel 128 Mar 9 08:16 gremlin-console/target/apache-tinkerpop-gremlin-console-3.2.8-SNAPSHOT-distribution.zip.sha512
-rw-r--r-- 1 daniel daniel 23700174 Mar 9 08:15 gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip
-rw-r--r-- 1 daniel daniel 128 Mar 9 08:15 gremlin-server/target/apache-tinkerpop-gremlin-server-3.2.8-SNAPSHOT-distribution.zip.sha512
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $ find . -name "*source-release.zip*"
daniel@cube /projects/apache/tinkerpop (TINKERPOP-1912) $
{noformat}
One way out of this misery could be to use SHA-1 files only. In fact, this would be pretty easy and require almost no changes at all. However, if anybody can up with an idea on how to generate the SHA-512 checksum (recommended by Apache) for the source release, I'm all ears. If not, I will just revert my changes at some point and adjust the release steps to only include the SHA-1 checksum.
> Remove MD5 checksums
> --------------------
>
> Key: TINKERPOP-1912
> URL: https://issues.apache.org/jira/browse/TINKERPOP-1912
> Project: TinkerPop
> Issue Type: Improvement
> Components: build-release
> Affects Versions: 3.2.7
> Reporter: Daniel Kuppitz
> Assignee: Daniel Kuppitz
> Priority: Minor
>
> Apache is asking to remove MD5 checksums from releases.
> *Old policy:*
> * MUST provide a MD5-file
> * SHOULD provide a SHA-file [SHA-512 recommended]
> *New policy:*
> * MUST provide a SHA- or MD5-file
> * SHOULD provide a SHA-file
> * SHOULD NOT provide a MD5-file
> Providing MD5 checksum files is now discouraged for new releases, but still allowed for past releases.
> *Why this change:*
> * MD5 is broken for many purposes ; we should move away from it.
> [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]
> *Impact for PMCs:*
> * _*for new releases:*_
> ** please do provide a SHA-file (one or more, if you like)
> ** do NOT provide a MD5-file
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)