You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Gary Gregory <ga...@gmail.com> on 2018/08/13 22:50:57 UTC

Fwd: New release distribution checksum policy

TLDR;

The release distribution checksum policy requires new releases to use
SHA-512 or SHA-256 and not SHA-1 for verification. Existing releases do not
need to be changed. Releases still need to be signed via detached PGP
signatures.

---------- Forwarded message ---------
From: Craig Russell <ap...@gmail.com>
Date: Mon, Aug 13, 2018 at 4:46 PM
Subject: New release distribution checksum policy
To: Apache Members <me...@apache.org>


TLDR;

The release distribution checksum policy requires new releases to use
SHA-512 or SHA-256 and not SHA-1 for verification. Existing releases do not
need to be changed. Releases still need to be signed via detached PGP
signatures.

Details:

Recently, a successful penetration of SHA-1 was verified, and SHA-1 is no
longer considered safe for crypto hashes
https://www.pcworld.com/article/3173791/security/stop-using-sha1-it-s-now-completely-unsafe.html


[1] http://www.apache.org/legal/release-policy.html#release-announcements
[2] https://www.apache.org/dev/release-distribution#download-links
[3] https://www.apache.org/dev/release-distribution#sigs-and-sums


Announcements of Apache project releases must contain a link to the relevant
download page, which might be hosted on an Apache site or a third party site
such as github.com. [1]

All official releases must be uploaded to the official distribution channel,
www.apache.org/dist.

The download page must provide public download links where current official
source releases and accompanying cryptographic files may be obtained. [2]

The policy on release distribution has been changed to require SHA-512 or
SHA-256
and disallow new artifacts to use SHA-1. [3]

Links to the download artifacts must support downloads from mirrors, e.g.
via links to
dyn/closer. Links to metadata (SHA, ASC) must be from
https://www.apache.org/dist/<project>/<release> and specifically not from
dist.apache.org/repos/dist

MD5 is no longer considered useful and should not be used. SHA is required.
Similarly, SHA-1 is no longer considered useful and should not be used.
SHA-512 (preferred) or SHA-256 are required for new releases. Older releases
need not be updated, may continue unchanged, and might use MD5 or SHA-1.

Links to KEYS must be from https://www.apache.org/dist/<project>/ not
release
specific.

Announcements that contain a link to the dyn/closer page alone will be
rejected by the moderators.

Announcements that contain a link to a web page that does not include a link
to a mirror to the artifact plus links to the signature and at least one sha
checksum will be rejected.

Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org http://db.apache.org/jdo