You are viewing a plain text version of this content. The canonical link for it is here.
Posted to release-discuss@apache.org by he...@free.fr on 2018/08/07 20:50:12 UTC
MPOM-205 creating source release checksums in target for Apache
dist area
Hi,
Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
1. only for Apache source release files
2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
See the related Git branch [3]
Anything to add before I merge this branch to master?
And eventually launch Apache parent POM 21 release quite soon...
Regards,
Hervé
[1] http://www.apache.org/dev/release-distribution#sigs-and-sums
[2] https://issues.apache.org/jira/browse/MPOM-205
[3] https://github.com/apache/maven-apache-parent/tree/MPOM-205
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by he...@free.fr.
no objection: update merged with existing checksum-maven-plugin
the maintainer created a new 1.7 version for us to add a failIfNoFiles feature
if someone creates a plugin that is more adapted, we can change in the future
if nobody beats me at it, I'll start a release in one week from now
regards,
Hervé
----- Mail original -----
De: "Robert Scholte" <rf...@apache.org>
À: "Maven Developers List" <de...@maven.apache.org>
Envoyé: Mardi 7 Août 2018 23:33:31
Objet: Re: MPOM-205 creating source release checksums in target for Apache dist area
On Tue, 07 Aug 2018 23:29:04 +0200, <he...@free.fr> wrote:
> squashed and kept only SHA-512
>
> Maven core plugins don't cover everything even quite generic like
> creating checksums, that's why there are many Maven plugins out there...
Maven Resolver generates these files while deploying, so for us there was
no real need for a specific plugin. With the different demand from ASF we
should consider writing a maven-checksum-plugin.
Robert
>
> Regards,
>
> Hervé
>
> ----- Mail original -----
> De: "Michael Osipov" <mi...@apache.org>
> À: "Maven Developers List" <de...@maven.apache.org>, "herve boutemy"
> <he...@free.fr>
> Cc: release-discuss@apache.org
> Envoyé: Mardi 7 Août 2018 23:04:46
> Objet: Re: MPOM-205 creating source release checksums in target for
> Apache dist area
>
> Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
>> Hi,
>>
>> Recently, Apache distribution policy changed regarding checksums [1]:
>> now, SHA-256 or SHA-512 checksums are required.
>>
>> This lead to discussion about changing checksums used on Maven
>> repository and/or Apache Nexus repository.
>>
>> But Maven repository requirements and Apache source distribution
>> requirements are completely independant: why tie them?
>>
>>
>> I just implemented SHA-256 and SHA-512 checksums tracked through
>> MPOM-205 [2]:
>> 1. only for Apache source release files
>> 2. only in local build, available in target/ directory (nothing related
>> to Maven repository nor deploy)
>>
>> See the related Git branch [3]
>>
>>
>> Anything to add before I merge this branch to master?
>> And eventually launch Apache parent POM 21 release quite soon...
>
> Please squash.
>
> It is a pity to see that none of our plugins can produce the checksums.
> While the requires says at least one checksum, do you see any huge
> benefit having SHA512 over 256? I see none.
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by Robert Scholte <rf...@apache.org>.
On Tue, 07 Aug 2018 23:29:04 +0200, <he...@free.fr> wrote:
> squashed and kept only SHA-512
>
> Maven core plugins don't cover everything even quite generic like
> creating checksums, that's why there are many Maven plugins out there...
Maven Resolver generates these files while deploying, so for us there was
no real need for a specific plugin. With the different demand from ASF we
should consider writing a maven-checksum-plugin.
Robert
>
> Regards,
>
> Hervé
>
> ----- Mail original -----
> De: "Michael Osipov" <mi...@apache.org>
> À: "Maven Developers List" <de...@maven.apache.org>, "herve boutemy"
> <he...@free.fr>
> Cc: release-discuss@apache.org
> Envoyé: Mardi 7 Août 2018 23:04:46
> Objet: Re: MPOM-205 creating source release checksums in target for
> Apache dist area
>
> Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
>> Hi,
>>
>> Recently, Apache distribution policy changed regarding checksums [1]:
>> now, SHA-256 or SHA-512 checksums are required.
>>
>> This lead to discussion about changing checksums used on Maven
>> repository and/or Apache Nexus repository.
>>
>> But Maven repository requirements and Apache source distribution
>> requirements are completely independant: why tie them?
>>
>>
>> I just implemented SHA-256 and SHA-512 checksums tracked through
>> MPOM-205 [2]:
>> 1. only for Apache source release files
>> 2. only in local build, available in target/ directory (nothing related
>> to Maven repository nor deploy)
>>
>> See the related Git branch [3]
>>
>>
>> Anything to add before I merge this branch to master?
>> And eventually launch Apache parent POM 21 release quite soon...
>
> Please squash.
>
> It is a pity to see that none of our plugins can produce the checksums.
> While the requires says at least one checksum, do you see any huge
> benefit having SHA512 over 256? I see none.
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by he...@free.fr.
squashed and kept only SHA-512
Maven core plugins don't cover everything even quite generic like creating checksums, that's why there are many Maven plugins out there...
Regards,
Hervé
----- Mail original -----
De: "Michael Osipov" <mi...@apache.org>
À: "Maven Developers List" <de...@maven.apache.org>, "herve boutemy" <he...@free.fr>
Cc: release-discuss@apache.org
Envoyé: Mardi 7 Août 2018 23:04:46
Objet: Re: MPOM-205 creating source release checksums in target for Apache dist area
Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
> Hi,
>
> Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
>
> This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
>
> But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
>
>
> I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
> 1. only for Apache source release files
> 2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
>
> See the related Git branch [3]
>
>
> Anything to add before I merge this branch to master?
> And eventually launch Apache parent POM 21 release quite soon...
Please squash.
It is a pity to see that none of our plugins can produce the checksums.
While the requires says at least one checksum, do you see any huge
benefit having SHA512 over 256? I see none.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by he...@free.fr.
squashed and kept only SHA-512
Maven core plugins don't cover everything even quite generic like creating checksums, that's why there are many Maven plugins out there...
Regards,
Hervé
----- Mail original -----
De: "Michael Osipov" <mi...@apache.org>
À: "Maven Developers List" <de...@maven.apache.org>, "herve boutemy" <he...@free.fr>
Cc: release-discuss@apache.org
Envoyé: Mardi 7 Août 2018 23:04:46
Objet: Re: MPOM-205 creating source release checksums in target for Apache dist area
Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
> Hi,
>
> Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
>
> This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
>
> But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
>
>
> I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
> 1. only for Apache source release files
> 2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
>
> See the related Git branch [3]
>
>
> Anything to add before I merge this branch to master?
> And eventually launch Apache parent POM 21 release quite soon...
Please squash.
It is a pity to see that none of our plugins can produce the checksums.
While the requires says at least one checksum, do you see any huge
benefit having SHA512 over 256? I see none.
Michael
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by Michael Osipov <mi...@apache.org>.
Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
> Hi,
>
> Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
>
> This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
>
> But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
>
>
> I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
> 1. only for Apache source release files
> 2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
>
> See the related Git branch [3]
>
>
> Anything to add before I merge this branch to master?
> And eventually launch Apache parent POM 21 release quite soon...
Please squash.
It is a pity to see that none of our plugins can produce the checksums.
While the requires says at least one checksum, do you see any huge
benefit having SHA512 over 256? I see none.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: MPOM-205 creating source release checksums in target for Apache
dist area
Posted by Michael Osipov <mi...@apache.org>.
Am 2018-08-07 um 22:50 schrieb herve.boutemy@free.fr:
> Hi,
>
> Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
>
> This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
>
> But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
>
>
> I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
> 1. only for Apache source release files
> 2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
>
> See the related Git branch [3]
>
>
> Anything to add before I merge this branch to master?
> And eventually launch Apache parent POM 21 release quite soon...
Please squash.
It is a pity to see that none of our plugins can produce the checksums.
While the requires says at least one checksum, do you see any huge
benefit having SHA512 over 256? I see none.
Michael