Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.9.0, 1.10.0
-
None
-
None
Description
Hi PMC,
The Release Distribution Policy[1] changed regarding .sha files.
See under "Cryptographic Signatures and Checksums Requirements" [2].Old policy :
– use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
New policy :
– use .sha1 for a SHA-1 checksum
– use .sha256 for a SHA-256 checksum
– use .sha512 for a SHA-512 checksum
– [*] .sha should contain a SHA-1Why this change ?
– Verifying a checksum under the old policy is/was not handy.
You have to inspect the .sha to find out which algorithm
should be used ; or try them all (SHA-1, SHA256, etc).
The new scheme avoids this ambiguity.
– The last point[*] was only added for clarity. Most of the
old, stale .sha's contain a SHA-1. The relatively new .sha's
contain a SHA-512. The expectation is that the last catagory will
disappear, when active projects adapt to the 'new' convention.Impact :
– Should be none ; many projects already use the 'new' convention.
– Please ask your release managers to use .sha1, .sha256, .sha512
instead of the .sha extension.
– Please fix your build-tools if you have any.Piggyback :
– The policy requires a .md5 for every package ;
providing a .sha512 is recommended.
Since MD5 is essentially broken, it is to be expected that
in the future a .sha512 will be required.
Perhaps it is wize to start providing .sha512's
with your releases if you do not already do so.– Visit http://mirror-vm.apache.org/checker/
to check the health of your /dist/-area ;
my stuff ; any feedback is most welcome.Thanks ; regards,
Henk Penning
[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums------------------------------------------------------------
Henk P. Penning ; apache.org infrastructure volunteer.
henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
We will need to update the build.sh to conform to these activities.