You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Michael Semb Wever (Jira)" <ji...@apache.org> on 2019/12/09 21:31:00 UTC
[jira] [Comment Edited] (CASSANDRA-14970) New releases must supply
SHA-256 and/or SHA-512 checksums
[ https://issues.apache.org/jira/browse/CASSANDRA-14970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990977#comment-16990977 ]
Michael Semb Wever edited comment on CASSANDRA-14970 at 12/9/19 9:30 PM:
-------------------------------------------------------------------------
bq. remove the `only_deb` flag (is it really needed?)
Agreed to keep. ref: https://the-asf.slack.com/archives/CK23JSY2K/p1574199400163100
bq. generate the sha512 and gnupg asc signatures on the non-maven artefacts
This is already done by the {{`ant release`}} task. But I can't see anywhere that is actually calling/using it. I have moved the checksumming into the {{`artifacts`}} tasks (alongside the generation of the original artefacts), and renamed the {{`release}}` task to {{`rat`}}.
The distribution artifacts are no longer getting deployed to the maven staging repository. They don't belong there as they are not maven artefacts. Instead they are just gpg signed, and it is left to the {{prepare_release.sh}} to move them into asf dev dist.
was (Author: michaelsembwever):
bq. remove the `only_deb` flag (is it really needed?)
Agreed to keep. ref: https://the-asf.slack.com/archives/CK23JSY2K/p1574199400163100
bq. generate the sha512 and gnupg asc signatures on the non-maven artefacts
This is already done by the {{`ant release`}} task. But I can't see anywhere that is actually calling/using it. I have moved the checksumming into the {{`artifacts`}} tasks (alongside the generation of the original artefacts), and renamed the {{`release}}` task to {{`rat`}}.
> New releases must supply SHA-256 and/or SHA-512 checksums
> ---------------------------------------------------------
>
> Key: CASSANDRA-14970
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14970
> Project: Cassandra
> Issue Type: Bug
> Components: Packaging
> Reporter: Michael Shuler
> Assignee: Michael Semb Wever
> Priority: Urgent
> Fix For: 2.2.16, 3.0.20, 3.11.6, 4.0
>
> Attachments: 0001-Update-downloads-for-sha256-sha512-checksum-files.patch, 0001-Update-release-checksum-algorithms-to-SHA-256-SHA-512.patch, ant-publish-checksum-fail.jpg, build_cassandra-2.1.png, build_trunk.png
>
>
> Release policy was updated around 9/2018 to state:
> "For new releases, PMCs MUST supply SHA-256 and/or SHA-512; and SHOULD NOT supply MD5 or SHA-1. Existing releases do not need to be changed."
> build.xml needs to be updated from MD5 & SHA-1 to, at least, SHA-256 or both. cassandra-builds/cassandra-release scripts need to be updated to work with the new checksum files.
> http://www.apache.org/dev/release-distribution#sigs-and-sums
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org