You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@curator.apache.org by "Jordan Zimmerman (JIRA)" <ji...@apache.org> on 2018/12/09 23:57:00 UTC
[jira] [Resolved] (CURATOR-461) Update release artifact production
to match new guidelines
[ https://issues.apache.org/jira/browse/CURATOR-461?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jordan Zimmerman resolved CURATOR-461.
--------------------------------------
Resolution: Fixed
> Update release artifact production to match new guidelines
> ----------------------------------------------------------
>
> Key: CURATOR-461
> URL: https://issues.apache.org/jira/browse/CURATOR-461
> Project: Apache Curator
> Issue Type: Task
> Components: Apache
> Affects Versions: 4.0.1
> Reporter: Jordan Zimmerman
> Priority: Major
> Fix For: 4.1.0
>
>
> From Apache...
>
> The Release Distribution Policy[1] changed regarding checksum files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
> MD5-file == a .md5 file
> SHA-file == a .sha1, sha256 or .sha512 file
> Old policy :
> -- MUST provide a MD5-file
> -- SHOULD provide a SHA-file [SHA-512 recommended]
> New policy :
> -- MUST provide a SHA- or MD5-file
> -- SHOULD provide a SHA-file
> -- SHOULD NOT provide a MD5-file
> Providing MD5 checksum files is now discouraged for new releases,
> but still allowed for past releases.
> Why this change :
> -- MD5 is broken for many purposes ; we should move away from it.
> [https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues]
> Impact for PMCs :
> -- for new releases :
> -- please do provide a SHA-file (one or more, if you like)
> -- do NOT provide a MD5-file
> -- for past releases :
> -- you are not required to change anything
> -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
> it would be nice if you removed the MD5-file
> -- if, at the moment, you provide MD5-files,
> please adjust your release tooling.
> Please mail me ([henkp@apache.org|mailto:henkp@apache.org]) if you have any questions etc.
> FYI :
> Many projects are not (entirely, strictly) checksum file compliant.
> For an overview/inventory (by project) see :
> [https://checker.apache.org/dist/unsummed.html]
> At the moment :
> -- no checksum : 176 packages in 28 projects ; non-compliant
> -- only MD5 : 495 packages in 44 projects ; update tooling
> -- only SHA : 135 packages in 13 projects ; now comliant
> In many cases, only a few (among many) checksum file are missing ;
> you may want to fix that.
> [1] [http://www.apache.org/dev/release-distribution]
> [2] [http://www.apache.org/dev/release-distribution#sigs-and-sums]
> Thanks, groeten,
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)