You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@calcite.apache.org by "Julian Hyde (JIRA)" <ji...@apache.org> on 2016/07/23 20:26:20 UTC

[jira] [Commented] (CALCITE-1329) As part of release, generate a file containing multiple digests

    [ https://issues.apache.org/jira/browse/CALCITE-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15390839#comment-15390839 ] 

Julian Hyde commented on CALCITE-1329:
--------------------------------------

[~sneethiraj], I got the idea of the {{.mds}} file from Apache Ranger. I've never seen any other project that combined all digests into one file, but it seems like a good idea, and I see you've been doing it ever since Apache Ranger 0.4.0 (incubating). Any comments on how it worked for you?

> As part of release, generate a file containing multiple digests
> ---------------------------------------------------------------
>
>                 Key: CALCITE-1329
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1329
>             Project: Calcite
>          Issue Type: Bug
>            Reporter: Julian Hyde
>            Assignee: Julian Hyde
>             Fix For: next
>
>
> Currently as part of the release we generate {{.md5}} and {{.sha1}} digests (as well as the pgp {{.asc}} file) and the download page http://calcite.apache.org/downloads/ references the md5 and pgp but not the sha1.
> Per http://www.apache.org/dev/release-signing.html#md5-security md5 is no longer secure, and sha512 is preferred over sha256. The best approach seems to be to generate multiple digests, and generate new ones as best practices change. I think we should generate checksum file with a {{.mds}} suffix as follows:
> {noformat}
> $ gpg --print-mds apache-calcite-1.8.0-src.tar.gz | tee apache-calcite-1.8.0-src.tar.gz.mds
> apache-calcite-1.8.0-src.tar.gz:    MD5 = B2 5D 0C 14 8B FE 20 0C  16 47 13 96
>                                           D9 2E C4 6D
> apache-calcite-1.8.0-src.tar.gz:   SHA1 = 4246 C20C BAA0 6534 B628  ADCB 1D5E
>                                           3AF1 4DE4 A864
> apache-calcite-1.8.0-src.tar.gz: RMD160 = ED29 BD56 D430 AD30 EB17  67CB 34C6
>                                           FCB0 47DB 58C5
> apache-calcite-1.8.0-src.tar.gz: SHA224 = 40333911 B0852673 08009F4B 747C88AD
>                                           B9996629 EE9BC16E 4492F367
> apache-calcite-1.8.0-src.tar.gz: SHA256 = E5C1DD83 14146A58 3AD44BAF 40F19F4C
>                                           D39A95FC E438231D 186F335B C86D6551
> apache-calcite-1.8.0-src.tar.gz: SHA384 = B2619FD2 E17C1CFB 199AE44B D15E79CA
>                                           DFAC6AFF D2F00D28 851D2DA2 F07B210E
>                                           F7349BED 44524A16 4990B79D A36D2B29
> apache-calcite-1.8.0-src.tar.gz: SHA512 = 18CFCA89 53874D31 80C60C6C 8D89652D
>                                           36AA1DAC 4007E113 02BCCDC3 E7465182
>                                           78B86071 431195D6 940773A7 F5314B09
>                                           5749791B 55F82E25 60C89735 29B4B468
> {noformat}
> Apache Ranger already does this; see http://ranger.apache.org/download.html.
> We would no longer generate {{.md5}} and {{.sha1}} files, but would continue to generate the {{.asc}} file.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)