You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@brooklyn.apache.org by GitBox <gi...@apache.org> on 2019/12/08 21:53:26 UTC
[GitHub] [brooklyn-dist] geomacy opened a new pull request #150:
BROOKLYN-597 Remove md5/sha1 - DO NOT MERGE
geomacy opened a new pull request #150: BROOKLYN-597 Remove md5/sha1 - DO NOT MERGE
URL: https://github.com/apache/brooklyn-dist/pull/150
Remove MD5 and SHA-1 for [BROOKLYN-597](https://issues.apache.org/jira/projects/BROOKLYN/issues/BROOKLYN-597)
Also simplifies the artifact signing, just hashing the artifacts and signing only the SHA256SUMS file.
DO NOT MERGE this is for review at the moment, I can't get the release make script to work. Will mail the list to ask.
Details per JIRA:
Per the recently updated Apache Release Distribution Policy, https://www.apache.org/dev/release-distribution, we should remove the generation and checking of MD5 and SHA-1 checksums from brooklyn-dist/release before we do another release, presumably 1.0.
The relevant wording is
For every artifact distributed to the public through Apache channels, the PMC
MUST supply a valid OpenPGP-compatible ASCII-armored detached signature file
MUST supply at least one checksum file
SHOULD supply a SHA-256 and/or SHA-512 checksum file
SHOULD NOT supply a MD5 or SHA-1 checksum file (because these are deprecated)
For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT supply MD5 or SHA-1. Existing releases do not need to be changed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services