You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafodion.apache.org by Steve Varnau <st...@esgyn.com> on 2018/03/05 17:57:41 UTC
FW: checksum file Release Distribution Policy
Ming,
Our release is compliant, since we have both SHA and MD5 checksums, but the new policy is asking for new releases to remove MD5.
So can you remove the md5 files from the release that is imminent?
I will update the wiki release instructions to remove the md5 directions.
--Steve
-----Original Message-----
From: Henk P. Penning [mailto:penning@uu.nl]
Sent: Monday, March 5, 2018 3:19 AM
To: henkp@apache.org
Subject: checksum file Release Distribution Policy
Hi Pmcs,
The Release Distribution Policy[1] changed regarding checksum files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
MD5-file == a .md5 file
SHA-file == a .sha1, sha256 or .sha512 file
Old policy :
-- MUST provide a MD5-file
-- SHOULD provide a SHA-file [SHA-512 recommended]
New policy :
-- MUST provide a SHA- or MD5-file
-- SHOULD provide a SHA-file
-- SHOULD NOT provide a MD5-file
Providing MD5 checksum files is now discouraged for new releases,
but still allowed for past releases.
Why this change :
-- MD5 is broken for many purposes ; we should move away from it.
https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
Impact for PMCs :
-- for new releases :
-- please do provide a SHA-file (one or more, if you like)
-- do NOT provide a MD5-file
-- for past releases :
-- you are not required to change anything
-- for artifacts accompanied by a SHA-file /and/ a MD5-file,
it would be nice if you removed the MD5-file
-- if, at the moment, you provide MD5-files,
please adjust your release tooling.
Please mail me (henkp@apache.org) if you have any questions etc.
FYI :
Many projects are not (entirely, strictly) checksum file compliant.
For an overview/inventory (by project) see :
https://checker.apache.org/dist/unsummed.html
At the moment :
-- no checksum : 176 packages in 28 projects ; non-compliant
-- only MD5 : 495 packages in 44 projects ; update tooling
-- only SHA : 135 packages in 13 projects ; now comliant
In many cases, only a few (among many) checksum file are missing ;
you may want to fix that.
[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums
Thanks, groeten,
Henk Penning -- apache.org infrastructure ; dist & mirrors.
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl \_/
Re: FW: checksum file Release Distribution Policy
Posted by Ming Liu <li...@apache.org>.
On 2018/03/05 17:57:41, Steve Varnau <st...@esgyn.com> wrote:
> Ming,
>
> Our release is compliant, since we have both SHA and MD5 checksums, but the new policy is asking for new releases to remove MD5.
>
> So can you remove the md5 files from the release that is imminent?
>
> I will update the wiki release instructions to remove the md5 directions.
>
> --Steve
>
> -----Original Message-----
> From: Henk P. Penning [mailto:penning@uu.nl]
> Sent: Monday, March 5, 2018 3:19 AM
> To: henkp@apache.org
> Subject: checksum file Release Distribution Policy
>
> Hi Pmcs,
>
> The Release Distribution Policy[1] changed regarding checksum files.
> See under "Cryptographic Signatures and Checksums Requirements" [2].
>
> MD5-file == a .md5 file
> SHA-file == a .sha1, sha256 or .sha512 file
>
> Old policy :
>
> -- MUST provide a MD5-file
> -- SHOULD provide a SHA-file [SHA-512 recommended]
>
> New policy :
>
> -- MUST provide a SHA- or MD5-file
> -- SHOULD provide a SHA-file
> -- SHOULD NOT provide a MD5-file
>
> Providing MD5 checksum files is now discouraged for new releases,
> but still allowed for past releases.
>
> Why this change :
>
> -- MD5 is broken for many purposes ; we should move away from it.
> https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
>
> Impact for PMCs :
>
> -- for new releases :
> -- please do provide a SHA-file (one or more, if you like)
> -- do NOT provide a MD5-file
>
> -- for past releases :
> -- you are not required to change anything
> -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
> it would be nice if you removed the MD5-file
>
> -- if, at the moment, you provide MD5-files,
> please adjust your release tooling.
>
> Please mail me (henkp@apache.org) if you have any questions etc.
>
> FYI :
>
> Many projects are not (entirely, strictly) checksum file compliant.
> For an overview/inventory (by project) see :
>
> https://checker.apache.org/dist/unsummed.html
>
> At the moment :
>
> -- no checksum : 176 packages in 28 projects ; non-compliant
> -- only MD5 : 495 packages in 44 projects ; update tooling
> -- only SHA : 135 packages in 13 projects ; now comliant
>
> In many cases, only a few (among many) checksum file are missing ;
> you may want to fix that.
>
> [1] http://www.apache.org/dev/release-distribution
> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>
> Thanks, groeten,
>
> Henk Penning -- apache.org infrastructure ; dist & mirrors.
>
> ------------------------------------------------------------ _
> Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
> Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
> http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl \_/
>
Thanks Steve,
Yes, I will remove those MD5 signatures. And thanks for taking care of this!
Ming