You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2022/01/07 06:59:00 UTC

[jira] [Comment Edited] (MPOM-282) Create correct SHA512 content

    [ https://issues.apache.org/jira/browse/MPOM-282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470375#comment-17470375 ] 

Herve Boutemy edited comment on MPOM-282 at 1/7/22, 6:58 AM:
-------------------------------------------------------------

bq. Hm, after rereading original issue: "the created SHA512 which is used for the distribution area" – is it maybe us misinterpreting this?

+1

there are 2 separate needs that are constantly conflated.

I'll show 1 concrete example = the binary distribution of Maven 3.8.4 apache-maven-3.8.4-bin.zip :
- there is the sha512 file from Apache distribution area ("Apache distribution area" is ASF specific, obviously): https://archive.apache.org/dist/maven/maven-3/3.8.4/binaries/
- there is (eventually) the sha512 from Maven Central repository: https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/ : you'll see we even did not publish sha512 here (because Maven core does not use the shared ASF parent POM)

let's look at maven wagon wagon-3.5.1-source-release.zip, that uses (like most of our Maven releases) the parent POM:
- Apache distribution area ("Apache distribution area" is ASF specific, obviously): https://archive.apache.org/dist/maven/wagon/
- Maven Central repository: https://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/3.5.1/

Apache distribution area is free form of Apache Software Foundation
Maven Central repository area has a Maven2 repository format
In the past, both asked for SHA1 = the start of thinking that both checksums files were forced to be the same
When Apache Software Foundation started to require sha512 but not Maven2 repository format, we started to see the mix


was (Author: hboutemy):
bq. Hm, after rereading original issue: "the created SHA512 which is used for the distribution area" – is it maybe us misinterpreting this?

+1

there are 2 separate needs that are constantly conflated.

I'll show 1 concrete example = the binary distribution of Maven 3.8.4 apache-maven-3.8.4-bin.zip :
- there is the sha512 file from Apache distribution area ("Apache distribution area" is ASF specific, obviously): https://archive.apache.org/dist/maven/maven-3/3.8.4/binaries/
- there is (eventually) the sha512 from Maven Central repository: https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.4/ : you'll see we even did not publish sha512 here (because Maven core does not use the shared ASF parent POM)

let's look at maven wagon wagon-3.5.1-source-release.zip, that uses (like most of our Maven releases) the parent POM:
- Apache distribution area ("Apache distribution area" is ASF specific, obviously): https://archive.apache.org/dist/maven/wagon/
- Maven Central repository: https://repo.maven.apache.org/maven2/org/apache/maven/wagon/wagon/3.5.1/

Apache distribution area is free form of Apache
Maven Central repository area has a Maven2 repository format

> Create correct SHA512 content
> -----------------------------
>
>                 Key: MPOM-282
>                 URL: https://issues.apache.org/jira/browse/MPOM-282
>             Project: Maven POMs
>          Issue Type: Improvement
>          Components: asf
>            Reporter: Karl Heinz Marbaise
>            Priority: Minor
>
> Currently the created SHA512 which is used for the distribution area contains only the checksum but not the filename which results in bad output if the checksums being checked via command line tool:
> {code}
> $ shasum -c apache-maven-3.2.5-bin.tar.gz.sha512
> $ shasum: apache-maven-3.2.5-bin.tar.gz.sha512: no properly formatted SHA checksum lines found
> {code}
> The checksum should be enhanced to support that correctly.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)