You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lens.apache.org by Amareshwari Sriramdasu <am...@apache.org> on 2018/03/05 11:39:09 UTC

Fwd: checksum file Release Distribution Policy

---------- Forwarded message ----------
From: "Henk P. Penning" <pe...@uu.nl>
Date: Mar 5, 2018 4:48 PM
Subject: checksum file Release Distribution Policy
To: <he...@apache.org>
Cc:

Hi Pmcs,

   The Release Distribution Policy[1] changed regarding checksum files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

     MD5-file == a .md5 file
     SHA-file == a .sha1, sha256 or .sha512 file

  Old policy :

     -- MUST provide a MD5-file
     -- SHOULD provide a SHA-file [SHA-512 recommended]

  New policy :

     -- MUST provide a SHA- or MD5-file
     -- SHOULD provide a SHA-file
     -- SHOULD NOT provide a MD5-file

     Providing MD5 checksum files is now discouraged for new releases,
     but still allowed for past releases.

  Why this change :

     -- MD5 is broken for many purposes ; we should move away from it.
        https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues

  Impact for PMCs :

     -- for new releases :
        -- please do provide a SHA-file (one or more, if you like)
        -- do NOT provide a MD5-file

     -- for past releases :
        -- you are not required to change anything
        -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
           it would be nice if you removed the MD5-file

     -- if, at the moment, you provide MD5-files,
        please adjust your release tooling.

  Please mail me (henkp@apache.org) if you have any questions etc.

  FYI :

   Many projects are not (entirely, strictly) checksum file compliant.
   For an overview/inventory (by project) see :

    https://checker.apache.org/dist/unsummed.html

  At the moment :

     -- no checksum : 176 packages in 28 projects ; non-compliant
     -- only MD5    : 495 packages in 44 projects ; update tooling
     -- only SHA    : 135 packages in 13 projects ; now comliant

   In many cases, only a few (among many) checksum file are missing ;
   you may want to fix that.

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

  Thanks, groeten,

  Henk Penning -- apache.org infrastructure ; dist & mirrors.

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL
<https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>
        F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/