falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pallavi Rao <pallavi....@inmobi.com>
Subject Fwd: checksum file Release Distribution Policy
Date Mon, 05 Mar 2018 11:35:04 GMT
See note below. We should no longer have MD5 as part of our release:
     -- for new releases :
        -- please do provide a SHA-file (one or more, if you like)
        -- do NOT provide a MD5-file

Sandeep,
This will apply to our 0.11 release too. Please handle the same.

Thanks,
Pallavi

---------- Forwarded message ----------
From: Henk P. Penning <penning@uu.nl>
Date: Mon, Mar 5, 2018 at 4:48 PM
Subject: checksum file Release Distribution Policy
To: henkp@apache.org


Hi Pmcs,

   The Release Distribution Policy[1] changed regarding checksum files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

     MD5-file == a .md5 file
     SHA-file == a .sha1, sha256 or .sha512 file

  Old policy :

     -- MUST provide a MD5-file
     -- SHOULD provide a SHA-file [SHA-512 recommended]

  New policy :

     -- MUST provide a SHA- or MD5-file
     -- SHOULD provide a SHA-file
     -- SHOULD NOT provide a MD5-file

     Providing MD5 checksum files is now discouraged for new releases,
     but still allowed for past releases.

  Why this change :

     -- MD5 is broken for many purposes ; we should move away from it.
        https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues

  Impact for PMCs :

     -- for new releases :
        -- please do provide a SHA-file (one or more, if you like)
        -- do NOT provide a MD5-file

     -- for past releases :
        -- you are not required to change anything
        -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
           it would be nice if you removed the MD5-file

     -- if, at the moment, you provide MD5-files,
        please adjust your release tooling.

  Please mail me (henkp@apache.org) if you have any questions etc.

  FYI :

   Many projects are not (entirely, strictly) checksum file compliant.
   For an overview/inventory (by project) see :

    https://checker.apache.org/dist/unsummed.html

  At the moment :

     -- no checksum : 176 packages in 28 projects ; non-compliant
     -- only MD5    : 495 packages in 44 projects ; update tooling
     -- only SHA    : 135 packages in 13 projects ; now comliant

   In many cases, only a few (among many) checksum file are missing ;
   you may want to fix that.

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

  Thanks, groeten,

  Henk Penning -- apache.org infrastructure ; dist & mirrors.

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL
<https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>
        F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

-- 
_____________________________________________________________
The information contained in this communication is intended solely for the 
use of the individual or entity to whom it is addressed and others 
authorized to receive it. It may contain confidential or legally privileged 
information. If you are not the intended recipient you are hereby notified 
that any disclosure, copying, distribution or taking any action in reliance 
on the contents of this information is strictly prohibited and may be 
unlawful. If you have received this communication in error, please notify 
us immediately by responding to this email and then delete it from your 
system. The firm is neither liable for the proper and complete transmission 
of the information contained in this communication nor for any delay in its 
receipt.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message