How to validate SHA512/SHA256 checksums during a release of an ASF project

[Konrad Windszus <ko...@gmx.de>]

Hi,
I am committer of the ASF project Sling which heavily relies on Maven. We obviously have to follow the ASF policy as well to distribute SHA512 or SHA256 checksums along with our source releases. 
While the first support for this has been made by https://issues.apache.org/jira/browse/MPOM-205 <https://issues.apache.org/jira/browse/MPOM-205> (thanks a lot for that) I am still not supposed to upload the checksums to the ASF Staging Repo (Nexus) because Nexus will not detect those as checksums and will generate sha1 and md5 files for my custom checksum as well.

You guys are basically saying that the sha512 checksum is not supposed to be uploaded to the Staging repo (also in https://issues.apache.org/jira/browse/MINSTALL-138 <https://issues.apache.org/jira/browse/MINSTALL-138>), but then I wonder how to validate a release based on the staging repository? At least the checksum you can no longer (half-automatically) validate. The only way to validate would be to include the checksum as text in the vote email and everyone verifying would need to check against his own build. That is a lot of overhead compared to previously just automatically checking the generated SHA1/MD5 checksums.

Also we often have the situation that the release managers are not PMC members and therefore need to ask other people to push to dist. These steps were fairly easy in the past as it was only required to download the staged repo and push that to the according SVN repo. But now it would rather require to check out/clone the tagged release from the SCM and build by your own, which can be pretty time consuming and also makes the staging partly useless.

How do you guys at Maven live the ASF release process with SHA512 checksums? The guidelines are https://maven.apache.org/developers/release/maven-project-release-procedure.html <https://maven.apache.org/developers/release/maven-project-release-procedure.html> are a littlebit fuzzy in that regard.
Thanks in advance for any input,

Konrad

Re: How to validate SHA512/SHA256 checksums during a release of an ASF project

[Hervé BOUTEMY <he...@free.fr>]

Hi Konrad,

> The only way to
> validate would be to include the checksum as text in the vote email and
> everyone verifying would need to check against his own build.
the checksum has to be validated against the downloaded zip file: yes, not 
automagic, but not so complex

> Also we often have the situation that the release managers are not PMC
> members and therefore need to ask other people to push to dist.
the PMC downloads the .zip and gets the checksum with sha512sum command, then 
creates the checksum file by hand: yes, manual is not ideal, but this case is 
not expected to happen too often


Of course, if someone knows how to write a Nexus plugin to provide a sha512 
file without promoting it to Central later in the process, don't hesitate

Regards,

Hervé


Le lundi 3 septembre 2018, 19:02:01 CEST Konrad Windszus a écrit :
> Hi,
> I am committer of the ASF project Sling which heavily relies on Maven. We
> obviously have to follow the ASF policy as well to distribute SHA512 or
> SHA256 checksums along with our source releases. While the first support
> for this has been made by https://issues.apache.org/jira/browse/MPOM-205
> <https://issues.apache.org/jira/browse/MPOM-205> (thanks a lot for that) I
> am still not supposed to upload the checksums to the ASF Staging Repo
> (Nexus) because Nexus will not detect those as checksums and will generate
> sha1 and md5 files for my custom checksum as well.
> 
> You guys are basically saying that the sha512 checksum is not supposed to be
> uploaded to the Staging repo (also in
> https://issues.apache.org/jira/browse/MINSTALL-138
> <https://issues.apache.org/jira/browse/MINSTALL-138>), but then I wonder
> how to validate a release based on the staging repository? At least the
> checksum you can no longer (half-automatically) validate. The only way to
> validate would be to include the checksum as text in the vote email and
> everyone verifying would need to check against his own build. That is a lot
> of overhead compared to previously just automatically checking the
> generated SHA1/MD5 checksums.
> 
> Also we often have the situation that the release managers are not PMC
> members and therefore need to ask other people to push to dist. These steps
> were fairly easy in the past as it was only required to download the staged
> repo and push that to the according SVN repo. But now it would rather
> require to check out/clone the tagged release from the SCM and build by
> your own, which can be pretty time consuming and also makes the staging
> partly useless.
> 
> How do you guys at Maven live the ASF release process with SHA512 checksums?
> The guidelines are
> https://maven.apache.org/developers/release/maven-project-release-procedure
> .html
> <https://maven.apache.org/developers/release/maven-project-release-procedur
> e.html> are a littlebit fuzzy in that regard. Thanks in advance for any
> input,
> 
> Konrad





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org