You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Bertrand Delacretaz <bd...@apache.org> on 2018/04/11 12:14:50 UTC
[releases] using sha1 instead of md5
Hi,
As per https://www.apache.org/dev/release-signing.html we should stop
using md5 digests and point to the sha1 digests that we already have,
instead (because md5 is broken nowadays).
I have made that change at http://sling.apache.org/downloads.cgi to
point to sha1 digests - and fixed a bunch of broken links there at the
same time, where versions where out of sync with
https://dist.apache.org/repos/dist/release/sling/
Does anyone know how to disable the creation of md5 digests in our
release builds? I have the impression that it's repository.apache.org
that addds them: if I do a "maven:deploy" on one of our modules,
they're not shown as being uploaded but are present in the
repository.a.o folder.
-Bertrand
Re: [releases] using sha1 instead of md5
Posted by Robert Munteanu <ro...@apache.org>.
Hi Betrand,
On Wed, 2018-04-11 at 14:14 +0200, Bertrand Delacretaz wrote:
> Hi,
>
> As per https://www.apache.org/dev/release-signing.html we should stop
> using md5 digests and point to the sha1 digests that we already have,
> instead (because md5 is broken nowadays).
>
> I have made that change at http://sling.apache.org/downloads.cgi to
> point to sha1 digests - and fixed a bunch of broken links there at
> the
> same time, where versions where out of sync with
> https://dist.apache.org/repos/dist/release/sling/
>
> Does anyone know how to disable the creation of md5 digests in our
> release builds? I have the impression that it's repository.apache.org
> that addds them: if I do a "maven:deploy" on one of our modules,
> they're not shown as being uploaded but are present in the
> repository.a.o folder.
I am not sure when/how they are generated.
Note that there's a task for the release policy update at
https://issues.apache.org/jira/browse/SLING-7534
Robert