You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Andrea Del Bene (JIRA)" <ji...@apache.org> on 2017/01/09 12:04:58 UTC
[jira] [Comment Edited] (WICKET-6074) Use SHA 256+ for signing the
release artefacts
[ https://issues.apache.org/jira/browse/WICKET-6074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15811604#comment-15811604 ]
Andrea Del Bene edited comment on WICKET-6074 at 1/9/17 12:04 PM:
------------------------------------------------------------------
I'm afraid we can't do much about it.
md5 is used by automatic checker so we must keep it: http://mirror-vm.apache.org/~henkp/checker/faq.html
Here is the release document that requires to produce a .md5 file and a .asc one:
https://www.apache.org/dev/release-signing.html#basic-facts
was (Author: bitstorm):
md5 is used by automatic checker so we must keep it: http://mirror-vm.apache.org/~henkp/checker/faq.html
Here is the release document that requires to produce a .md5 file and a .asc one:
https://www.apache.org/dev/release-signing.html#basic-facts
> Use SHA 256+ for signing the release artefacts
> ----------------------------------------------
>
> Key: WICKET-6074
> URL: https://issues.apache.org/jira/browse/WICKET-6074
> Project: Wicket
> Issue Type: Task
> Components: release
> Affects Versions: 6.21.0, 7.2.0
> Reporter: Martin Grigorov
> Assignee: Martijn Dashorst
>
> See the discussion at dev@ about checking the release: http://markmail.org/message/yu2f64rndmncseyd
> There are few issues:
> 1) It seems sha1sum is used. It will be better to use SHA 256+
> from release.sh:
> gpg --print-md SHA1 target/dist/apache-wicket-$version.tar.gz > target/dist/apache-wicket-$version.tar.gz.sha
> 2) Drop .md5 ?!
> "man md5sum" says:
> BUGS
> The MD5 algorithm should not be used any more for security related purposes. Instead, better use an SHA-2 algorithm, implemented in the programs sha224sum(1), sha256sum(1), sha384sum(1),
> sha512sum(1)
> 3) use "sha256sum" instead of "gpg --print-md SHA1" to create the file to make it simpler for checking later with "sha256sum -c"
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)