You are viewing a plain text version of this content. The canonical link for it is here.

Posted to site-dev@apache.org by sebb <se...@gmail.com> on 2017/07/31 09:45:12 UTC

Re: svn commit: r1803496 - /infrastructure/site/trunk/content/dev/release-distribution.mdtext

On 31 July 2017 at 10:06,  <he...@apache.org> wrote:
> Author: henkp
> Date: Mon Jul 31 09:06:21 2017
> New Revision: 1803496
>
> URL: http://svn.apache.org/viewvc?rev=1803496&view=rev
> Log:
> SHA-$xxx checksum files should be suffixed .sha$xxx
>
> Modified:
>     infrastructure/site/trunk/content/dev/release-distribution.mdtext
>
> Modified: infrastructure/site/trunk/content/dev/release-distribution.mdtext
> URL: http://svn.apache.org/viewvc/infrastructure/site/trunk/content/dev/release-distribution.mdtext?rev=1803496&r1=1803495&r2=1803496&view=diff
> ==============================================================================
> --- infrastructure/site/trunk/content/dev/release-distribution.mdtext (original)
> +++ infrastructure/site/trunk/content/dev/release-distribution.mdtext Mon Jul 31 09:06:21 2017
> @@ -115,7 +115,14 @@ MUST be formed by adding to the name of
>  *   the checksum by suffixing `.md5`
>
>  An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
> -MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.
> +MUST be suffixed as:
> +
> +* `.sha1` for a SHA-1 checksum
> +* `.sha256` for a SHA-256 checksum
> +* `.sha512` for a SHA-512 checksum
> +
> +The checksum SHOULD be generated using `SHA-512`.
> +A `.sha` file SHOULD contain a SHA-1 checksum, for historical reasons.

AFAICT this is a significant change to the policy.

Previously, a SHA checksums had to be in a file *.sha.
There was no option for other suffices.
Equally, there was no requirement to use SHA-1.
So *.sha files could contain SHA-1 or SHA-256 etc

I think this change needs to be communicated to PMCs and/or committers.

>  Projects MUST publish a "[`KEYS`](#release-signing#keys-policy)" file in their
>  distribution directory which contains all public keys used to sign artifacts.
>
>

Re: svn commit: r1803496 - /infrastructure/site/trunk/content/dev/release-distribution.mdtext

Posted by "Henk P. Penning" <pe...@uu.nl>.

On Mon, 31 Jul 2017, sebb wrote:

> Date: Mon, 31 Jul 2017 11:45:12 +0200
> From: sebb <se...@gmail.com>
> To: site-dev@apache.org
> Cc: henkp@apache.org
> Subject: Re: svn commit: r1803496 -
>     /infrastructure/site/trunk/content/dev/release-distribution.mdtext

   [ top-post ; from INFRA-14611 ]

Hi Sebb,

> Previously, a SHA checksums had to be in a file *.sha.
> There was no option for other suffices.

   Agree.

> Equally, there was no requirement to use SHA-1.

   There was the recommendation (SHOULD) to provide a SHA checksum ;
   the recommendation was to provide a SHA-512 sum. That hasn't changed.
   Why do you think SHA-1 is now required ?

> So *.sha files could contain SHA-1 or SHA-256 etc

   Right, it could and it does. The problem with that is that one has
   to look at the content of the .sha file, to determine if it is a
   SHA-1, SHA-256 or SHA-512 checksum (and there are many other SHA-xxx
   types). The format of the .sha isn't specified and varies wildly.
   So, to avoid ambiguity (for tools and downloaders), the extension
   scheme is now recommended.

   Note that many TLP's (eq openoffice) already use .sha1, .sha256
   and/or .sha512 extensions, so the change documents common practice.

   Further, most of the .sha's containing a SHA-1 are old, and the
   .sha's containting SHA-256 or SHA-512's are new.

   If/when the TLP's adapt to the new policy, the .sha's containing
   a non-SHA-1 will hopefully disappear.

> I think this change needs to be communicated to PMCs and/or committers.

   A mail to the (P)PMS would be nice ; no idea how to do that, though.

   Please look a my new checker : http://mirror-vm.apache.org/checker/
   Mail me (henkp@apche.org) any comments, remarks, surprises etc.

   Regards,

   HPP

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof HFG-406   _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL        F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

> On 31 July 2017 at 10:06,  <he...@apache.org> wrote:
>> Author: henkp
>> Date: Mon Jul 31 09:06:21 2017
>> New Revision: 1803496
>>
>> URL: http://svn.apache.org/viewvc?rev=1803496&view=rev
>> Log:
>> SHA-$xxx checksum files should be suffixed .sha$xxx
>>
>> Modified:
>>     infrastructure/site/trunk/content/dev/release-distribution.mdtext
>>
>> Modified: infrastructure/site/trunk/content/dev/release-distribution.mdtext
>> URL: http://svn.apache.org/viewvc/infrastructure/site/trunk/content/dev/release-distribution.mdtext?rev=1803496&r1=1803495&r2=1803496&view=diff
>> ==============================================================================
>> --- infrastructure/site/trunk/content/dev/release-distribution.mdtext (original)
>> +++ infrastructure/site/trunk/content/dev/release-distribution.mdtext Mon Jul 31 09:06:21 2017
>> @@ -115,7 +115,14 @@ MUST be formed by adding to the name of
>>  *   the checksum by suffixing `.md5`
>>
>>  An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
>> -MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.
>> +MUST be suffixed as:
>> +
>> +* `.sha1` for a SHA-1 checksum
>> +* `.sha256` for a SHA-256 checksum
>> +* `.sha512` for a SHA-512 checksum
>> +
>> +The checksum SHOULD be generated using `SHA-512`.
>> +A `.sha` file SHOULD contain a SHA-1 checksum, for historical reasons.
>
> AFAICT this is a significant change to the policy.
>
> Previously, a SHA checksums had to be in a file *.sha.
> There was no option for other suffices.
> Equally, there was no requirement to use SHA-1.
> So *.sha files could contain SHA-1 or SHA-256 etc
>
> I think this change needs to be communicated to PMCs and/or committers.