You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metamodel.apache.org by "Kasper Sørensen (JIRA)" <ji...@apache.org> on 2017/08/16 18:57:00 UTC

[jira] [Created] (METAMODEL-1155) Produce .sha256 and .sha512 files during release

Kasper Sørensen created METAMODEL-1155:
------------------------------------------

             Summary: Produce .sha256 and .sha512 files during release
                 Key: METAMODEL-1155
                 URL: https://issues.apache.org/jira/browse/METAMODEL-1155
             Project: Apache MetaModel
          Issue Type: Task
            Reporter: Kasper Sørensen


The Release Distribution Policy[1] changed regarding .sha files.
See under "Cryptographic Signatures and Checksums Requirements" [2].

  New policy :

     -- use .sha1 for a SHA-1 checksum
     -- use .sha256 for a SHA-256 checksum
     -- use .sha512 for a SHA-512 checksum
     -- [*] .sha should contain a SHA-1

  Why this change ?

     -- Verifying a checksum under the old policy is/was not handy.
        You have to inspect the .sha to find out which algorithm
        should be used ; or try them all (SHA-1, SHA256, etc).
        The new scheme avoids this ambiguity.
     -- The last point[*] was only added for clarity. Most of the
        old, stale .sha's contain a SHA-1. The relatively new .sha's
        contain a SHA-512. The expectation is that the last catagory will
        disappear, when active projects adapt to the 'new' convention.

Specifically for MetaModel:

* We need to produce the 256 and 512 variants, since we today already produce a .sha1 file

[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)