You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Denis Magda <dm...@apache.org> on 2018/08/18 00:51:03 UTC
Release policy updates
Peter, Anton V, Igniters,
The board communicated the following release policy changes:
-- for new releases :
-- you MUST supply a SHA-256 and/or SHA-512 file
-- you SHOULD NOT supply MD5 or SHA-1 files
Are we good? More details are below.
*2 Release Dist Policy Changes (Q? users@infra.apache.org)
-----------------------------------------------------------------------
The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
not just emphasized words ; for an explanation see RFC-2119 [3].
Old policy :
-- SHOULD supply a SHA checksum file
-- SHOULD NOT supply a MD5 checksum file
New policy :
-- SHOULD supply a SHA-256 and/or SHA-512 checksum file
-- SHOULD NOT supply MD5 or SHA-1 checksum files
Why this change ?
-- Like MD5, SHA-1 is too broken ; we should move away from it.
Impact for PMCs :
-- for new releases :
-- you MUST supply a SHA-256 and/or SHA-512 file
-- you SHOULD NOT supply MD5 or SHA-1 files
-- for past releases :
-- you are not required to change anything ;
-- it would be nice if you fixed your dist area ;
start with : cleanup ; rename .sha's ; remove .md5's
Re: Release policy updates
Posted by Anton Vinogradov <av...@apache.org>.
Issue [1] created.
[1] https://issues.apache.org/jira/browse/IGNITE-9346
пн, 20 авг. 2018 г. в 17:27, Denis Magda <dm...@gridgain.com>:
> Yes, let’s just remove md5. Will you create the ticket and handle this for
> 2.7?
>
> Denis
>
> On Monday, August 20, 2018, Anton Vinogradov <av...@apache.org> wrote:
>
> > Denis,
> >
> > Currently we provide md5 and sha512 [1].
> > Should we just get rid of md5?
> >
> > [1] https://www.apache.org/dist/ignite/2.6.0/
> >
> > сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:
> >
> >> Peter, Anton V, Igniters,
> >>
> >> The board communicated the following release policy changes:
> >> -- for new releases :
> >> -- you MUST supply a SHA-256 and/or SHA-512 file
> >> -- you SHOULD NOT supply MD5 or SHA-1 files
> >>
> >> Are we good? More details are below.
> >>
> >>
> >>
> >>
> >> *2 Release Dist Policy Changes (Q? users@infra.apache.org)
> >> -----------------------------------------------------------------------
> >>
> >> The Release Distribution Policy[1] changed regarding checksum files.
> >> See under "Cryptographic Signatures and Checksums Requirements" [2].
> >>
> >> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
> >> not just emphasized words ; for an explanation see RFC-2119 [3].
> >>
> >> Old policy :
> >>
> >> -- SHOULD supply a SHA checksum file
> >> -- SHOULD NOT supply a MD5 checksum file
> >>
> >> New policy :
> >>
> >> -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
> >> -- SHOULD NOT supply MD5 or SHA-1 checksum files
> >>
> >> Why this change ?
> >>
> >> -- Like MD5, SHA-1 is too broken ; we should move away from it.
> >>
> >> Impact for PMCs :
> >>
> >> -- for new releases :
> >> -- you MUST supply a SHA-256 and/or SHA-512 file
> >> -- you SHOULD NOT supply MD5 or SHA-1 files
> >>
> >> -- for past releases :
> >> -- you are not required to change anything ;
> >> -- it would be nice if you fixed your dist area ;
> >> start with : cleanup ; rename .sha's ; remove .md5's
> >>
> >
>
Re: Release policy updates
Posted by Denis Magda <dm...@gridgain.com>.
Yes, let’s just remove md5. Will you create the ticket and handle this for
2.7?
Denis
On Monday, August 20, 2018, Anton Vinogradov <av...@apache.org> wrote:
> Denis,
>
> Currently we provide md5 and sha512 [1].
> Should we just get rid of md5?
>
> [1] https://www.apache.org/dist/ignite/2.6.0/
>
> сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:
>
>> Peter, Anton V, Igniters,
>>
>> The board communicated the following release policy changes:
>> -- for new releases :
>> -- you MUST supply a SHA-256 and/or SHA-512 file
>> -- you SHOULD NOT supply MD5 or SHA-1 files
>>
>> Are we good? More details are below.
>>
>>
>>
>>
>> *2 Release Dist Policy Changes (Q? users@infra.apache.org)
>> -----------------------------------------------------------------------
>>
>> The Release Distribution Policy[1] changed regarding checksum files.
>> See under "Cryptographic Signatures and Checksums Requirements" [2].
>>
>> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
>> not just emphasized words ; for an explanation see RFC-2119 [3].
>>
>> Old policy :
>>
>> -- SHOULD supply a SHA checksum file
>> -- SHOULD NOT supply a MD5 checksum file
>>
>> New policy :
>>
>> -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
>> -- SHOULD NOT supply MD5 or SHA-1 checksum files
>>
>> Why this change ?
>>
>> -- Like MD5, SHA-1 is too broken ; we should move away from it.
>>
>> Impact for PMCs :
>>
>> -- for new releases :
>> -- you MUST supply a SHA-256 and/or SHA-512 file
>> -- you SHOULD NOT supply MD5 or SHA-1 files
>>
>> -- for past releases :
>> -- you are not required to change anything ;
>> -- it would be nice if you fixed your dist area ;
>> start with : cleanup ; rename .sha's ; remove .md5's
>>
>
Re: Release policy updates
Posted by Anton Vinogradov <av...@apache.org>.
Denis,
Currently we provide md5 and sha512 [1].
Should we just get rid of md5?
[1] https://www.apache.org/dist/ignite/2.6.0/
сб, 18 авг. 2018 г. в 3:51, Denis Magda <dm...@apache.org>:
> Peter, Anton V, Igniters,
>
> The board communicated the following release policy changes:
> -- for new releases :
> -- you MUST supply a SHA-256 and/or SHA-512 file
> -- you SHOULD NOT supply MD5 or SHA-1 files
>
> Are we good? More details are below.
>
>
>
>
> *2 Release Dist Policy Changes (Q? users@infra.apache.org)
> -----------------------------------------------------------------------
>
> The Release Distribution Policy[1] changed regarding checksum files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
>
> Note that "MUST", "SHOULD", "SHOULD NOT" are technical terms ;
> not just emphasized words ; for an explanation see RFC-2119 [3].
>
> Old policy :
>
> -- SHOULD supply a SHA checksum file
> -- SHOULD NOT supply a MD5 checksum file
>
> New policy :
>
> -- SHOULD supply a SHA-256 and/or SHA-512 checksum file
> -- SHOULD NOT supply MD5 or SHA-1 checksum files
>
> Why this change ?
>
> -- Like MD5, SHA-1 is too broken ; we should move away from it.
>
> Impact for PMCs :
>
> -- for new releases :
> -- you MUST supply a SHA-256 and/or SHA-512 file
> -- you SHOULD NOT supply MD5 or SHA-1 files
>
> -- for past releases :
> -- you are not required to change anything ;
> -- it would be nice if you fixed your dist area ;
> start with : cleanup ; rename .sha's ; remove .md5's
>