You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ignite.apache.org by Denis Magda <dm...@apache.org> on 2018/08/18 00:51:03 UTC

Release policy updates

Peter, Anton V, Igniters,

The board communicated the following release policy changes:
  -- for new releases :
     -- you MUST supply a SHA-256 and/or SHA-512 file
     -- you SHOULD NOT supply MD5 or SHA-1 files

Are we good? More details are below.




*2 Release Dist Policy Changes  (Q? users@infra.apache.org)
-----------------------------------------------------------------------

The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].

Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
not just emphasized words ; for an explanation see RFC-2119 [3].

Old policy :

  -- SHOULD supply a SHA checksum file
  -- SHOULD NOT supply a MD5 checksum file

New policy :

  -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
  -- SHOULD NOT supply MD5 or SHA-1 checksum files

Why this change ?

  -- Like MD5, SHA-1 is too broken ; we should move away from it.

Impact for PMCs :

  -- for new releases :
     -- you MUST supply a SHA-256 and/or SHA-512 file
     -- you SHOULD NOT supply MD5 or SHA-1 files

  -- for past releases :
     -- you are not required to change anything ;
     -- it would be nice if you fixed your dist area ;
        start with : cleanup ; rename .sha's ; remove .md5's

Re: Release policy updates

Posted by Anton Vinogradov <av...@apache.org>.

Issue [1] created.

[1] https://issues.apache.org/jira/browse/IGNITE-9346

пн, 20 авг. 2018 г. в 17:27, Denis Magda <dm...@gridgain.com>:

> Yes, let’s just remove md5. Will you create the ticket and handle this for
> 2.7?
>
> Denis
>
> On Monday, August 20, 2018, Anton Vinogradov <av...@apache.org> wrote:
>
> > Denis,
> >
> > Currently we provide md5 and sha512 [1].
> > Should we just get rid of md5?
> >
> > [1] https://www.apache.org/dist/ignite/2.6.0/
> >
> > сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:
> >
> >> Peter, Anton V, Igniters,
> >>
> >> The board communicated the following release policy changes:
> >>   -- for new releases :
> >>      -- you MUST supply a SHA-256 and/or SHA-512 file
> >>      -- you SHOULD NOT supply MD5 or SHA-1 files
> >>
> >> Are we good? More details are below.
> >>
> >>
> >>
> >>
> >> *2 Release Dist Policy Changes  (Q? users@infra.apache.org)
> >> -----------------------------------------------------------------------
> >>
> >> The Release Distribution Policy[1] changed regarding checksum files.
> >> See under "Cryptographic Signatures and Checksums Requirements" [2].
> >>
> >> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
> >> not just emphasized words ; for an explanation see RFC-2119 [3].
> >>
> >> Old policy :
> >>
> >>   -- SHOULD supply a SHA checksum file
> >>   -- SHOULD NOT supply a MD5 checksum file
> >>
> >> New policy :
> >>
> >>   -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
> >>   -- SHOULD NOT supply MD5 or SHA-1 checksum files
> >>
> >> Why this change ?
> >>
> >>   -- Like MD5, SHA-1 is too broken ; we should move away from it.
> >>
> >> Impact for PMCs :
> >>
> >>   -- for new releases :
> >>      -- you MUST supply a SHA-256 and/or SHA-512 file
> >>      -- you SHOULD NOT supply MD5 or SHA-1 files
> >>
> >>   -- for past releases :
> >>      -- you are not required to change anything ;
> >>      -- it would be nice if you fixed your dist area ;
> >>         start with : cleanup ; rename .sha's ; remove .md5's
> >>
> >
>

Re: Release policy updates

Posted by Denis Magda <dm...@gridgain.com>.

Yes, let’s just remove md5. Will you create the ticket and handle this for
2.7?

Denis

On Monday, August 20, 2018, Anton Vinogradov <av...@apache.org> wrote:

> Denis,
>
> Currently we provide md5 and sha512 [1].
> Should we just get rid of md5?
>
> [1] https://www.apache.org/dist/ignite/2.6.0/
>
> сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:
>
>> Peter, Anton V, Igniters,
>>
>> The board communicated the following release policy changes:
>>   -- for new releases :
>>      -- you MUST supply a SHA-256 and/or SHA-512 file
>>      -- you SHOULD NOT supply MD5 or SHA-1 files
>>
>> Are we good? More details are below.
>>
>>
>>
>>
>> *2 Release Dist Policy Changes  (Q? users@infra.apache.org)
>> -----------------------------------------------------------------------
>>
>> The Release Distribution Policy[1] changed regarding checksum files.
>> See under "Cryptographic Signatures and Checksums Requirements" [2].
>>
>> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
>> not just emphasized words ; for an explanation see RFC-2119 [3].
>>
>> Old policy :
>>
>>   -- SHOULD supply a SHA checksum file
>>   -- SHOULD NOT supply a MD5 checksum file
>>
>> New policy :
>>
>>   -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
>>   -- SHOULD NOT supply MD5 or SHA-1 checksum files
>>
>> Why this change ?
>>
>>   -- Like MD5, SHA-1 is too broken ; we should move away from it.
>>
>> Impact for PMCs :
>>
>>   -- for new releases :
>>      -- you MUST supply a SHA-256 and/or SHA-512 file
>>      -- you SHOULD NOT supply MD5 or SHA-1 files
>>
>>   -- for past releases :
>>      -- you are not required to change anything ;
>>      -- it would be nice if you fixed your dist area ;
>>         start with : cleanup ; rename .sha's ; remove .md5's
>>
>

Re: Release policy updates

Posted by Anton Vinogradov <av...@apache.org>.

Denis,

Currently we provide md5 and sha512 [1].
Should we just get rid of md5?

[1] https://www.apache.org/dist/ignite/2.6.0/

сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:

> Peter, Anton V, Igniters,
>
> The board communicated the following release policy changes:
>   -- for new releases :
>      -- you MUST supply a SHA-256 and/or SHA-512 file
>      -- you SHOULD NOT supply MD5 or SHA-1 files
>
> Are we good? More details are below.
>
>
>
>
> *2 Release Dist Policy Changes  (Q? users@infra.apache.org)
> -----------------------------------------------------------------------
>
> The Release Distribution Policy[1] changed regarding checksum files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
>
> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
> not just emphasized words ; for an explanation see RFC-2119 [3].
>
> Old policy :
>
>   -- SHOULD supply a SHA checksum file
>   -- SHOULD NOT supply a MD5 checksum file
>
> New policy :
>
>   -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
>   -- SHOULD NOT supply MD5 or SHA-1 checksum files
>
> Why this change ?
>
>   -- Like MD5, SHA-1 is too broken ; we should move away from it.
>
> Impact for PMCs :
>
>   -- for new releases :
>      -- you MUST supply a SHA-256 and/or SHA-512 file
>      -- you SHOULD NOT supply MD5 or SHA-1 files
>
>   -- for past releases :
>      -- you are not required to change anything ;
>      -- it would be nice if you fixed your dist area ;
>         start with : cleanup ; rename .sha's ; remove .md5's
>