You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@systemml.apache.org by "Arvind Surve (JIRA)" <ji...@apache.org> on 2017/09/05 16:57:00 UTC

[jira] [Created] (SYSTEMML-1890) Update Release Distribution policy

Arvind Surve created SYSTEMML-1890:
--------------------------------------

             Summary: Update Release Distribution policy
                 Key: SYSTEMML-1890
                 URL: https://issues.apache.org/jira/browse/SYSTEMML-1890
             Project: SystemML
          Issue Type: New Feature
            Reporter: Arvind Surve
            Assignee: Arvind Surve


Update Release Distribution policy.

Per note (dated 08/16/2017 from Henk Penning), which is attached below couple of things need to happen.
   1. Update .sha file extension based on she type .sha, sha256, sha512 etc
   2. Better to get 512 algorithm, 

I am handling both above changes as a part of this request in note.

-------------------------------------------------------------------------------------------------------------
Hi PMC,

    The Release Distribution Policy[1] changed regarding .sha files.
    See under "Cryptographic Signatures and Checksums Requirements" [2].

  Old policy :

    -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)

  New policy :

      -- use .sha1 for a SHA-1 checksum
      -- use .sha256 for a SHA-256 checksum
      -- use .sha512 for a SHA-512 checksum
      -- [*] .sha should contain a SHA-1

  Why this change ?

      -- Verifying a checksum under the old policy is/was not handy.
        You have to inspect the .sha to find out which algorithm
        should be used ; or try them all (SHA-1, SHA256, etc).
        The new scheme avoids this ambiguity.
      -- The last point[*] was only added for clarity. Most of the
        old, stale .sha's contain a SHA-1. The relatively new .sha's
        contain a SHA-512. The expectation is that the last catagory will
        disappear, when active projects adapt to the 'new' convention.

  Impact :

      -- Should be none ; many projects already use the 'new' convention.
      -- Please ask your release managers to use .sha1, .sha256, .sha512
        instead of the .sha extension.
      -- Please fix your build-tools if you have any.

  Piggyback :

      -- The policy requires a .md5 for every package ;
        providing a .sha512 is recommended.
        Since MD5 is essentially broken, it is to be expected that
        in the future a .sha512 will be required.
        Perhaps it is wize to start providing .sha512's
        with your releases if you do not already do so.

      -- Visit http://mirror-vm.apache.org/checker/
        to check the health of your /dist/-area ;
        my stuff ; any feedback is most welcome.




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)