commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: checksum file Release Distribution Policy
Date Mon, 05 Mar 2018 16:52:38 GMT
On Mon, Mar 5, 2018 at 8:51 AM, Rob Tompkins <chtompki@gmail.com> wrote:

> The current version, 1.1, uploads .asc, .sha1, and .md5. Should we pull
> that back in leu of adding sha512 and removing sha1, md5? I haven’t
> promoted the RC yet.
>

I would move the release along, then consider how do implement with the new
policy in a subsequent release.

Gary


>
> -Rob
>
> > On Mar 5, 2018, at 10:27 AM, Gary Gregory <garydgregory@gmail.com>
> wrote:
> >
> > Rob: How does this affect your release plugin?
> >
> > Gary
> > ---------- Forwarded message ----------
> > From: Henk P. Penning <penning@uu.nl <mailto:penning@uu.nl>>
> > Date: Mon, Mar 5, 2018 at 4:18 AM
> > Subject: checksum file Release Distribution Policy
> > To: henkp@apache.org <mailto:henkp@apache.org>
> >
> >
> > Hi Pmcs,
> >
> >   The Release Distribution Policy[1] changed regarding checksum files.
> >   See under "Cryptographic Signatures and Checksums Requirements" [2].
> >
> >     MD5-file == a .md5 file
> >     SHA-file == a .sha1, sha256 or .sha512 file
> >
> >  Old policy :
> >
> >     -- MUST provide a MD5-file
> >     -- SHOULD provide a SHA-file [SHA-512 recommended]
> >
> >  New policy :
> >
> >     -- MUST provide a SHA- or MD5-file
> >     -- SHOULD provide a SHA-file
> >     -- SHOULD NOT provide a MD5-file
> >
> >     Providing MD5 checksum files is now discouraged for new releases,
> >     but still allowed for past releases.
> >
> >  Why this change :
> >
> >     -- MD5 is broken for many purposes ; we should move away from it.
> >        https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues
> >
> >  Impact for PMCs :
> >
> >     -- for new releases :
> >        -- please do provide a SHA-file (one or more, if you like)
> >        -- do NOT provide a MD5-file
> >
> >     -- for past releases :
> >        -- you are not required to change anything
> >        -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
> >           it would be nice if you removed the MD5-file
> >
> >     -- if, at the moment, you provide MD5-files,
> >        please adjust your release tooling.
> >
> >  Please mail me (henkp@apache.org) if you have any questions etc.
> >
> >  FYI :
> >
> >   Many projects are not (entirely, strictly) checksum file compliant.
> >   For an overview/inventory (by project) see :
> >
> >    https://checker.apache.org/dist/unsummed.html
> >
> >  At the moment :
> >
> >     -- no checksum : 176 packages in 28 projects ; non-compliant
> >     -- only MD5    : 495 packages in 44 projects ; update tooling
> >     -- only SHA    : 135 packages in 13 projects ; now comliant
> >
> >   In many cases, only a few (among many) checksum file are missing ;
> >   you may want to fix that.
> >
> >   [1] http://www.apache.org/dev/release-distribution
> >   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> >
> >  Thanks, groeten,
> >
> >  Henk Penning -- apache.org infrastructure ; dist & mirrors.
> >
> > ------------------------------------------------------------   _
> > Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
> > Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
> > Leuvenlaan 4, 3584CE Utrecht, NL
> > <https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+
> NL&entry=gmail&source=g <https://maps.google.com/?q=
> Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>>
> >        F +31 30 253 4553 \_/ \_/
> > http://www.staff.science.uu.nl/~penni101/ <http://www.staff.science.uu.
> nl/~penni101/> M penning@uu.nl <mailto:penning@uu.nl>     \_/
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message