You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ignite.apache.org by Denis Magda <dm...@apache.org> on 2018/03/05 20:57:45 UTC
Fwd: checksum file Release Distribution Policy
Igniters,
Do we comply with the next release requirements? Vladimir as a 2.4 release
manager, could you double check that we are in a good state?
--
Denis
---------- Forwarded message ----------
From: Henk P. Penning <pe...@uu.nl>
Date: Mon, Mar 5, 2018 at 3:18 AM
Subject: checksum file Release Distribution Policy
To: henkp@apache.org
Hi Pmcs,
The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
MD5-file == a .md5 file
SHA-file == a .sha1, sha256 or .sha512 file
Old policy :
-- MUST provide a MD5-file
-- SHOULD provide a SHA-file [SHA-512 recommended]
New policy :
-- MUST provide a SHA- or MD5-file
-- SHOULD provide a SHA-file
-- SHOULD NOT provide a MD5-file
Providing MD5 checksum files is now discouraged for new releases,
but still allowed for past releases.
Why this change :
-- MD5 is broken for many purposes ; we should move away from it.
https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
Impact for PMCs :
-- for new releases :
-- please do provide a SHA-file (one or more, if you like)
-- do NOT provide a MD5-file
-- for past releases :
-- you are not required to change anything
-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
it would be nice if you removed the MD5-file
-- if, at the moment, you provide MD5-files,
please adjust your release tooling.
Please mail me (henkp@apache.org) if you have any questions etc.
FYI :
Many projects are not (entirely, strictly) checksum file compliant.
For an overview/inventory (by project) see :
https://checker.apache.org/dist/unsummed.html
At the moment :
-- no checksum : 176 packages in 28 projects ; non-compliant
-- only MD5 : 495 packages in 44 projects ; update tooling
-- only SHA : 135 packages in 13 projects ; now comliant
In many cases, only a few (among many) checksum file are missing ;
you may want to fix that.
[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums
Thanks, groeten,
Henk Penning -- apache.org infrastructure ; dist & mirrors.
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL
<https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>
F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl \_/
Re: checksum file Release Distribution Policy
Posted by Sergey Kozlov <sk...@gridgain.com>.
We keep MD5 files for backward compatibility
On Tue, Mar 6, 2018 at 3:50 PM, Vladimir Ozerov <vo...@gridgain.com>
wrote:
> I am not sure. We do have SHA512 files, which is ok. But we also have MD5
> files, which are now "SHOULD NOT" be provided. Is it OK that we still have
> them?
>
> On Tue, Mar 6, 2018 at 10:23 AM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
>
> > On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <dm...@apache.org> wrote:
> >
> > > Igniters,
> > >
> > > Do we comply with the next release requirements? Vladimir as a 2.4
> > release
> > > manager, could you double check that we are in a good state?
> > >
> >
> > I think we do. We only provide SHA files for our releases.
> >
>
--
Sergey Kozlov
GridGain Systems
www.gridgain.com
Re: checksum file Release Distribution Policy
Posted by Denis Magda <dm...@apache.org>.
If it's not late, I would remove it manually from 2.4 and alter the release
procedures. See a respective message from Cos:
http://apache-ignite-developers.2346864.n4.nabble.com/MD5-sums-in-the-releases-td27901.html
--
Denis
On Sun, Mar 11, 2018 at 11:00 PM, Petr Ivanov <mr...@gmail.com> wrote:
> Should we manually delete MD5 hash sums from current release (2.4) or
> release procedure modification in 2.5 will be enough?
>
>
>
> > On 7 Mar 2018, at 21:29, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
> >
> > On Tue, Mar 6, 2018 at 8:52 PM, Petr Ivanov <mr...@gmail.com> wrote:
> >
> >> http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/
> ignite/2.3.0/
> >>>
> >>
> >
> > Got it. Let's get rid of MD5 in this case.
> >
> > D.
>
>
Re: checksum file Release Distribution Policy
Posted by Petr Ivanov <mr...@gmail.com>.
Should we manually delete MD5 hash sums from current release (2.4) or release procedure modification in 2.5 will be enough?
> On 7 Mar 2018, at 21:29, Dmitriy Setrakyan <ds...@apache.org> wrote:
>
> On Tue, Mar 6, 2018 at 8:52 PM, Petr Ivanov <mr...@gmail.com> wrote:
>
>> http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/ignite/2.3.0/
>>>
>>
>
> Got it. Let's get rid of MD5 in this case.
>
> D.
Re: checksum file Release Distribution Policy
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Tue, Mar 6, 2018 at 8:52 PM, Petr Ivanov <mr...@gmail.com> wrote:
> http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/ignite/2.3.0/
> >
>
Got it. Let's get rid of MD5 in this case.
D.
Re: checksum file Release Distribution Policy
Posted by Petr Ivanov <mr...@gmail.com>.
http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/ignite/2.3.0/>
> On 6 Mar 2018, at 23:21, Dmitriy Setrakyan <ds...@apache.org> wrote:
>
> I don't see MD5 files anywhere on the website:
> https://ignite.apache.org/download.cgi
>
> Where do we have them?
>
> D.
>
>
> On Tue, Mar 6, 2018 at 4:50 AM, Vladimir Ozerov <vo...@gridgain.com>
> wrote:
>
>> I am not sure. We do have SHA512 files, which is ok. But we also have MD5
>> files, which are now "SHOULD NOT" be provided. Is it OK that we still have
>> them?
>>
>> On Tue, Mar 6, 2018 at 10:23 AM, Dmitriy Setrakyan <ds...@apache.org>
>> wrote:
>>
>>> On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <dm...@apache.org> wrote:
>>>
>>>> Igniters,
>>>>
>>>> Do we comply with the next release requirements? Vladimir as a 2.4
>>> release
>>>> manager, could you double check that we are in a good state?
>>>>
>>>
>>> I think we do. We only provide SHA files for our releases.
>>>
>>
Re: checksum file Release Distribution Policy
Posted by Dmitriy Setrakyan <ds...@apache.org>.
I don't see MD5 files anywhere on the website:
https://ignite.apache.org/download.cgi
Where do we have them?
D.
On Tue, Mar 6, 2018 at 4:50 AM, Vladimir Ozerov <vo...@gridgain.com>
wrote:
> I am not sure. We do have SHA512 files, which is ok. But we also have MD5
> files, which are now "SHOULD NOT" be provided. Is it OK that we still have
> them?
>
> On Tue, Mar 6, 2018 at 10:23 AM, Dmitriy Setrakyan <ds...@apache.org>
> wrote:
>
> > On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <dm...@apache.org> wrote:
> >
> > > Igniters,
> > >
> > > Do we comply with the next release requirements? Vladimir as a 2.4
> > release
> > > manager, could you double check that we are in a good state?
> > >
> >
> > I think we do. We only provide SHA files for our releases.
> >
>
Re: checksum file Release Distribution Policy
Posted by Vladimir Ozerov <vo...@gridgain.com>.
I am not sure. We do have SHA512 files, which is ok. But we also have MD5
files, which are now "SHOULD NOT" be provided. Is it OK that we still have
them?
On Tue, Mar 6, 2018 at 10:23 AM, Dmitriy Setrakyan <ds...@apache.org>
wrote:
> On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <dm...@apache.org> wrote:
>
> > Igniters,
> >
> > Do we comply with the next release requirements? Vladimir as a 2.4
> release
> > manager, could you double check that we are in a good state?
> >
>
> I think we do. We only provide SHA files for our releases.
>
Re: checksum file Release Distribution Policy
Posted by Dmitriy Setrakyan <ds...@apache.org>.
On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <dm...@apache.org> wrote:
> Igniters,
>
> Do we comply with the next release requirements? Vladimir as a 2.4 release
> manager, could you double check that we are in a good state?
>
I think we do. We only provide SHA files for our releases.