You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@curator.apache.org by "Jordan Zimmerman (JIRA)" <ji...@apache.org> on 2018/12/09 23:57:00 UTC

[jira] [Resolved] (CURATOR-461) Update release artifact production to match new guidelines

     [ https://issues.apache.org/jira/browse/CURATOR-461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jordan Zimmerman resolved CURATOR-461.
--------------------------------------
    Resolution: Fixed

> Update release artifact production to match new guidelines
> ----------------------------------------------------------
>
>                 Key: CURATOR-461
>                 URL: https://issues.apache.org/jira/browse/CURATOR-461
>             Project: Apache Curator
>          Issue Type: Task
>          Components: Apache
>    Affects Versions: 4.0.1
>            Reporter: Jordan Zimmerman
>            Priority: Major
>             Fix For: 4.1.0
>
>
> From Apache...
>  
> The Release Distribution Policy[1] changed regarding checksum files.
>   See under "Cryptographic Signatures and Checksums Requirements" [2].
>     MD5-file == a .md5 file
>     SHA-file == a .sha1, sha256 or .sha512 file
>  Old policy :
>     -- MUST provide a MD5-file
>     -- SHOULD provide a SHA-file [SHA-512 recommended]
>  New policy :
>     -- MUST provide a SHA- or MD5-file
>     -- SHOULD provide a SHA-file
>     -- SHOULD NOT provide a MD5-file
>     Providing MD5 checksum files is now discouraged for new releases,
>     but still allowed for past releases.
>  Why this change :
>     -- MD5 is broken for many purposes ; we should move away from it.
>        [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]
>  Impact for PMCs :
>     -- for new releases :
>        -- please do provide a SHA-file (one or more, if you like)
>        -- do NOT provide a MD5-file
>     -- for past releases :
>        -- you are not required to change anything
>        -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
>           it would be nice if you removed the MD5-file
>     -- if, at the moment, you provide MD5-files,
>        please adjust your release tooling.
>  Please mail me ([henkp@apache.org|mailto:henkp@apache.org]) if you have any questions etc.
>  FYI :
>   Many projects are not (entirely, strictly) checksum file compliant.
>   For an overview/inventory (by project) see :
>    [https://checker.apache.org/dist/unsummed.html]
>  At the moment :
>     -- no checksum : 176 packages in 28 projects ; non-compliant
>     -- only MD5    : 495 packages in 44 projects ; update tooling
>     -- only SHA    : 135 packages in 13 projects ; now comliant
>   In many cases, only a few (among many) checksum file are missing ;
>   you may want to fix that.
>   [1] [http://www.apache.org/dev/release-distribution]
>   [2] [http://www.apache.org/dev/release-distribution#sigs-and-sums]
>  Thanks, groeten,



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)