You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Denis Magda <dm...@apache.org> on 2017/08/16 22:51:33 UTC
Fwd: .sha Release Distribution Policy
Igniters, especially the release managers,
Please consider these changes and recommendations for the next release. Do we have any ticket that already takes this into account?
—
Denis
> Begin forwarded message:
>
> From: "Henk P. Penning" <pe...@uu.nl>
> Subject: .sha Release Distribution Policy
> Date: August 16, 2017 at 1:55:57 AM PDT
> To: <he...@apache.org>
> Reply-To: private@ignite.apache.org
>
> Hi PMC,
>
> The Release Distribution Policy[1] changed regarding .sha files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
>
> Old policy :
>
> -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>
> New policy :
>
> -- use .sha1 for a SHA-1 checksum
> -- use .sha256 for a SHA-256 checksum
> -- use .sha512 for a SHA-512 checksum
> -- [*] .sha should contain a SHA-1
>
> Why this change ?
>
> -- Verifying a checksum under the old policy is/was not handy.
> You have to inspect the .sha to find out which algorithm
> should be used ; or try them all (SHA-1, SHA256, etc).
> The new scheme avoids this ambiguity.
> -- The last point[*] was only added for clarity. Most of the
> old, stale .sha's contain a SHA-1. The relatively new .sha's
> contain a SHA-512. The expectation is that the last catagory will
> disappear, when active projects adapt to the 'new' convention.
>
> Impact :
>
> -- Should be none ; many projects already use the 'new' convention.
> -- Please ask your release managers to use .sha1, .sha256, .sha512
> instead of the .sha extension.
> -- Please fix your build-tools if you have any.
>
> Piggyback :
>
> -- The policy requires a .md5 for every package ;
> providing a .sha512 is recommended.
> Since MD5 is essentially broken, it is to be expected that
> in the future a .sha512 will be required.
> Perhaps it is wize to start providing .sha512's
> with your releases if you do not already do so.
>
> -- Visit http://mirror-vm.apache.org/checker/
> to check the health of your /dist/-area ;
> my stuff ; any feedback is most welcome.
>
> Thanks ; regards,
>
> Henk Penning
>
> [1] http://www.apache.org/dev/release-distribution
> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>
> ------------------------------------------------------------
> Henk P. Penning ; apache.org infrastructure volunteer.
> henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
Re: .sha Release Distribution Policy
Posted by Denis Magda <dm...@apache.org>.
Guys,
Thanks for the confirmation and taking care of this.
—
Denis
> On Aug 17, 2017, at 1:32 AM, Sergey Kozlov <sk...@gridgain.com> wrote:
>
> Denis
>
> Also we don't use .sha extension so we already follow that rules
>
> On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <oo...@gridgain.com>
> wrote:
>
>> Hi, Denis
>>
>> Yes, we have a ticket that already takes this into account:
>> https://issues.apache.org/jira/browse/IGNITE-5817
>> I think we can create both sha-256 and sha-512 checksums.
>>
>> Best regards
>> Oleg
>>
>> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <dm...@apache.org> wrote:
>>
>>> Igniters, especially the release managers,
>>>
>>> Please consider these changes and recommendations for the next release.
>> Do
>>> we have any ticket that already takes this into account?
>>>
>>> —
>>> Denis
>>>
>>>> Begin forwarded message:
>>>>
>>>> From: "Henk P. Penning" <pe...@uu.nl>
>>>> Subject: .sha Release Distribution Policy
>>>> Date: August 16, 2017 at 1:55:57 AM PDT
>>>> To: <he...@apache.org>
>>>> Reply-To: private@ignite.apache.org
>>>>
>>>> Hi PMC,
>>>>
>>>> The Release Distribution Policy[1] changed regarding .sha files.
>>>> See under "Cryptographic Signatures and Checksums Requirements" [2].
>>>>
>>>> Old policy :
>>>>
>>>> -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>>>>
>>>> New policy :
>>>>
>>>> -- use .sha1 for a SHA-1 checksum
>>>> -- use .sha256 for a SHA-256 checksum
>>>> -- use .sha512 for a SHA-512 checksum
>>>> -- [*] .sha should contain a SHA-1
>>>>
>>>> Why this change ?
>>>>
>>>> -- Verifying a checksum under the old policy is/was not handy.
>>>> You have to inspect the .sha to find out which algorithm
>>>> should be used ; or try them all (SHA-1, SHA256, etc).
>>>> The new scheme avoids this ambiguity.
>>>> -- The last point[*] was only added for clarity. Most of the
>>>> old, stale .sha's contain a SHA-1. The relatively new .sha's
>>>> contain a SHA-512. The expectation is that the last catagory
>> will
>>>> disappear, when active projects adapt to the 'new' convention.
>>>>
>>>> Impact :
>>>>
>>>> -- Should be none ; many projects already use the 'new' convention.
>>>> -- Please ask your release managers to use .sha1, .sha256, .sha512
>>>> instead of the .sha extension.
>>>> -- Please fix your build-tools if you have any.
>>>>
>>>> Piggyback :
>>>>
>>>> -- The policy requires a .md5 for every package ;
>>>> providing a .sha512 is recommended.
>>>> Since MD5 is essentially broken, it is to be expected that
>>>> in the future a .sha512 will be required.
>>>> Perhaps it is wize to start providing .sha512's
>>>> with your releases if you do not already do so.
>>>>
>>>> -- Visit http://mirror-vm.apache.org/checker/
>>>> to check the health of your /dist/-area ;
>>>> my stuff ; any feedback is most welcome.
>>>>
>>>> Thanks ; regards,
>>>>
>>>> Henk Penning
>>>>
>>>> [1] http://www.apache.org/dev/release-distribution
>>>> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>>>
>>>> ------------------------------------------------------------
>>>> Henk P. Penning ; apache.org infrastructure volunteer.
>>>> henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
>>>
>>>
>>
>
>
>
> --
> Sergey Kozlov
> GridGain Systems
> www.gridgain.com
Re: .sha Release Distribution Policy
Posted by Sergey Kozlov <sk...@gridgain.com>.
Denis
Also we don't use .sha extension so we already follow that rules
On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <oo...@gridgain.com>
wrote:
> Hi, Denis
>
> Yes, we have a ticket that already takes this into account:
> https://issues.apache.org/jira/browse/IGNITE-5817
> I think we can create both sha-256 and sha-512 checksums.
>
> Best regards
> Oleg
>
> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <dm...@apache.org> wrote:
>
> > Igniters, especially the release managers,
> >
> > Please consider these changes and recommendations for the next release.
> Do
> > we have any ticket that already takes this into account?
> >
> > —
> > Denis
> >
> > > Begin forwarded message:
> > >
> > > From: "Henk P. Penning" <pe...@uu.nl>
> > > Subject: .sha Release Distribution Policy
> > > Date: August 16, 2017 at 1:55:57 AM PDT
> > > To: <he...@apache.org>
> > > Reply-To: private@ignite.apache.org
> > >
> > > Hi PMC,
> > >
> > > The Release Distribution Policy[1] changed regarding .sha files.
> > > See under "Cryptographic Signatures and Checksums Requirements" [2].
> > >
> > > Old policy :
> > >
> > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
> > >
> > > New policy :
> > >
> > > -- use .sha1 for a SHA-1 checksum
> > > -- use .sha256 for a SHA-256 checksum
> > > -- use .sha512 for a SHA-512 checksum
> > > -- [*] .sha should contain a SHA-1
> > >
> > > Why this change ?
> > >
> > > -- Verifying a checksum under the old policy is/was not handy.
> > > You have to inspect the .sha to find out which algorithm
> > > should be used ; or try them all (SHA-1, SHA256, etc).
> > > The new scheme avoids this ambiguity.
> > > -- The last point[*] was only added for clarity. Most of the
> > > old, stale .sha's contain a SHA-1. The relatively new .sha's
> > > contain a SHA-512. The expectation is that the last catagory
> will
> > > disappear, when active projects adapt to the 'new' convention.
> > >
> > > Impact :
> > >
> > > -- Should be none ; many projects already use the 'new' convention.
> > > -- Please ask your release managers to use .sha1, .sha256, .sha512
> > > instead of the .sha extension.
> > > -- Please fix your build-tools if you have any.
> > >
> > > Piggyback :
> > >
> > > -- The policy requires a .md5 for every package ;
> > > providing a .sha512 is recommended.
> > > Since MD5 is essentially broken, it is to be expected that
> > > in the future a .sha512 will be required.
> > > Perhaps it is wize to start providing .sha512's
> > > with your releases if you do not already do so.
> > >
> > > -- Visit http://mirror-vm.apache.org/checker/
> > > to check the health of your /dist/-area ;
> > > my stuff ; any feedback is most welcome.
> > >
> > > Thanks ; regards,
> > >
> > > Henk Penning
> > >
> > > [1] http://www.apache.org/dev/release-distribution
> > > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> > >
> > > ------------------------------------------------------------
> > > Henk P. Penning ; apache.org infrastructure volunteer.
> > > henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
> >
> >
>
--
Sergey Kozlov
GridGain Systems
www.gridgain.com
Re: .sha Release Distribution Policy
Posted by Oleg Ostanin <oo...@gridgain.com>.
Hi, Denis
Yes, we have a ticket that already takes this into account:
https://issues.apache.org/jira/browse/IGNITE-5817
I think we can create both sha-256 and sha-512 checksums.
Best regards
Oleg
On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <dm...@apache.org> wrote:
> Igniters, especially the release managers,
>
> Please consider these changes and recommendations for the next release. Do
> we have any ticket that already takes this into account?
>
> —
> Denis
>
> > Begin forwarded message:
> >
> > From: "Henk P. Penning" <pe...@uu.nl>
> > Subject: .sha Release Distribution Policy
> > Date: August 16, 2017 at 1:55:57 AM PDT
> > To: <he...@apache.org>
> > Reply-To: private@ignite.apache.org
> >
> > Hi PMC,
> >
> > The Release Distribution Policy[1] changed regarding .sha files.
> > See under "Cryptographic Signatures and Checksums Requirements" [2].
> >
> > Old policy :
> >
> > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
> >
> > New policy :
> >
> > -- use .sha1 for a SHA-1 checksum
> > -- use .sha256 for a SHA-256 checksum
> > -- use .sha512 for a SHA-512 checksum
> > -- [*] .sha should contain a SHA-1
> >
> > Why this change ?
> >
> > -- Verifying a checksum under the old policy is/was not handy.
> > You have to inspect the .sha to find out which algorithm
> > should be used ; or try them all (SHA-1, SHA256, etc).
> > The new scheme avoids this ambiguity.
> > -- The last point[*] was only added for clarity. Most of the
> > old, stale .sha's contain a SHA-1. The relatively new .sha's
> > contain a SHA-512. The expectation is that the last catagory will
> > disappear, when active projects adapt to the 'new' convention.
> >
> > Impact :
> >
> > -- Should be none ; many projects already use the 'new' convention.
> > -- Please ask your release managers to use .sha1, .sha256, .sha512
> > instead of the .sha extension.
> > -- Please fix your build-tools if you have any.
> >
> > Piggyback :
> >
> > -- The policy requires a .md5 for every package ;
> > providing a .sha512 is recommended.
> > Since MD5 is essentially broken, it is to be expected that
> > in the future a .sha512 will be required.
> > Perhaps it is wize to start providing .sha512's
> > with your releases if you do not already do so.
> >
> > -- Visit http://mirror-vm.apache.org/checker/
> > to check the health of your /dist/-area ;
> > my stuff ; any feedback is most welcome.
> >
> > Thanks ; regards,
> >
> > Henk Penning
> >
> > [1] http://www.apache.org/dev/release-distribution
> > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> >
> > ------------------------------------------------------------
> > Henk P. Penning ; apache.org infrastructure volunteer.
> > henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
>
>