Description
Apache has updated it's policy on the release signatures, as per it's website here and a recent email. Basically, all future releases should be providing a sha512 checksum instead of an md5 one.
There are two tasks:
- Update the release script to use sha512 instead of md5
https://github.com/apache/oozie/blob/master/bin/create-release-artifact#L71
https://www.apache.org/dev/release-signing#sha-checksum - Update the wiki (requires committer/pmc permissions?)
https://cwiki.apache.org/confluence/display/OOZIE/How+To+Release
While we're updating the wiki, we should add details on:
- Making sure the gpg key used for signing releases is 4096 bit RSA
- Publishing your gpg public key to a key server (https://www.apache.org/dev/release-signing#keyserver)