You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jdo-dev@db.apache.org by Tilmann Zäschke <za...@gmx.de> on 2021/12/19 15:14:58 UTC
Fwd: [jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5
Hi,
the INFRA ticket just got updated.
Could someone have a look whether I am describing the process/issue
correctly?
https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461830#comment-17461830
Thanks,
Til
-------- Forwarded Message --------
Subject: [jira] [Comment Edited] (INFRA-22540) Change "Apache Rules" in
Nexus to check for sha256/512 instead of sha1/md5
Date: Sat, 18 Dec 2021 10:26:00 +0000 (UTC)
From: Herve Boutemy (Jira) <ji...@apache.org>
To: tilmannz@apache.org
[
https://issues.apache.org/jira/browse/INFRA-22540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461830#comment-17461830
]
Herve Boutemy edited comment on INFRA-22540 at 12/18/21, 10:25 AM:
-------------------------------------------------------------------
we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks
in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile
but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]
at least, please consider the difference in policy of Apache source
release archive vs any other artifact published to Central if you change
something
was (Author: hboutemy):
we had such discussion at Maven level: there is in general a confusion
between
1. Apache rules on source release to dist, which mandate sha256/sha512
2. Central rules on every artifacts (jar, pom, anything not related to
Apache source release), which still asks for sha1/md5 for checksums and
PGP signature for more serious checks
in Apache parent POM release 24 MPOM-244, we added a configuration to
generate sha512 for source-release artifacts when publishing to
Nexus/Central to help projects: see documentation
https://maven.apache.org/pom/asf/#The_apache-release_Profile
but not every project uses Apache parent POM, or did not upgrade to 24,
or do not even use Maven to build, so I don't know what's the best
solution for [~tilmannz]
at least, please consider the difference in policy of Apache release
source release vs any artifact published to Central if you change something
> Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5
> --------------------------------------------------------------------------
>
> Key: INFRA-22540
> URL: https://issues.apache.org/jira/browse/INFRA-22540
> Project: Infrastructure
> Issue Type: Improvement
> Components: Nexus
> Reporter: Tilmann Zäschke
> Priority: Major
>
> The Release Distribution Policy
> (https://infra.apache.org/release-distribution) states:
> "PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or
> SHA-1.".
> However, currently, the Apache Rules in Nexus appear to enforce that
> all files (including .zip and .tar.gz) to have .sha1 and .md5
> pendants. For our project "closing" a release candidate fails with:
> Event: Failed: Checksum Validation
> typeId checksum-staging
> failureMessage Required SHA-1:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1'
> failureMessage Required MD5:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5'
> failureMessage Required SHA-1:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1'
> failureMessage Required MD5:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5' Can
> the Apache Rules in Nexus be adapted to allow or even enforce that
> files (other than .jar/.pom) to be signed with sha256/sha512 instead
> of sha1/md5?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)