uima-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marshall Schor (JIRA)" <...@uima.apache.org>
Subject [jira] [Commented] (UIMA-5856) Use modern checksum algorithms during release
Date Wed, 17 Oct 2018 20:23:00 GMT

    [ https://issues.apache.org/jira/browse/UIMA-5856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16654146#comment-16654146

Marshall Schor commented on UIMA-5856:

The design generates checksums and signatures for the pom, the main artifact, and all attached
artifacts (attached means goes to maven central, and .m2).  Additionally, it handles as a
special case the top-level source-release.zip file which is not attached.  

> Use modern checksum algorithms during release
> ---------------------------------------------
>                 Key: UIMA-5856
>                 URL: https://issues.apache.org/jira/browse/UIMA-5856
>             Project: UIMA
>          Issue Type: Improvement
>          Components: Build, Packaging and Test, Website
>            Reporter: Richard Eckart de Castilho
>            Assignee: Richard Eckart de Castilho
>            Priority: Major
>             Fix For: parent-pom-12
> Apache policy requires that we drop generating MD5 / SHA1 checksums and switch:
> – for new releases :
>  – you MUST supply a SHA-256 and/or SHA-512 file
>  – you SHOULD NOT supply MD5 or SHA-1 files
> See http://www.apache.org/dev/release-distribution#sigs-and-sums
> Best place to do this would be the parent-pom.
> Its a bit of a blocker for producing any new releases unless sub-projects override all
the code-signing provisions in the UIMA parent pom.

This message was sent by Atlassian JIRA

View raw message