Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-1329

As part of release, generate a file containing multiple digests



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.9.0
    • None
    • None


      Currently as part of the release we generate .md5 and .sha1 digests (as well as the pgp .asc file) and the download page http://calcite.apache.org/downloads/ references the md5 and pgp but not the sha1.

      Per http://www.apache.org/dev/release-signing.html#md5-security md5 is no longer secure, and sha512 is preferred over sha256. The best approach seems to be to generate multiple digests, and generate new ones as best practices change. I think we should generate checksum file with a .mds suffix as follows:

      $ gpg --print-mds apache-calcite-1.8.0-src.tar.gz | tee apache-calcite-1.8.0-src.tar.gz.mds
      apache-calcite-1.8.0-src.tar.gz:    MD5 = B2 5D 0C 14 8B FE 20 0C  16 47 13 96
                                                D9 2E C4 6D
      apache-calcite-1.8.0-src.tar.gz:   SHA1 = 4246 C20C BAA0 6534 B628  ADCB 1D5E
                                                3AF1 4DE4 A864
      apache-calcite-1.8.0-src.tar.gz: RMD160 = ED29 BD56 D430 AD30 EB17  67CB 34C6
                                                FCB0 47DB 58C5
      apache-calcite-1.8.0-src.tar.gz: SHA224 = 40333911 B0852673 08009F4B 747C88AD
                                                B9996629 EE9BC16E 4492F367
      apache-calcite-1.8.0-src.tar.gz: SHA256 = E5C1DD83 14146A58 3AD44BAF 40F19F4C
                                                D39A95FC E438231D 186F335B C86D6551
      apache-calcite-1.8.0-src.tar.gz: SHA384 = B2619FD2 E17C1CFB 199AE44B D15E79CA
                                                DFAC6AFF D2F00D28 851D2DA2 F07B210E
                                                F7349BED 44524A16 4990B79D A36D2B29
      apache-calcite-1.8.0-src.tar.gz: SHA512 = 18CFCA89 53874D31 80C60C6C 8D89652D
                                                36AA1DAC 4007E113 02BCCDC3 E7465182
                                                78B86071 431195D6 940773A7 F5314B09
                                                5749791B 55F82E25 60C89735 29B4B468

      Apache Ranger already does this; see http://ranger.apache.org/download.html.

      We would no longer generate .md5 and .sha1 files, but would continue to generate the .asc file.


        Issue Links



              julianhyde Julian Hyde
              julianhyde Julian Hyde
              0 Vote for this issue
              1 Start watching this issue