Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Currently as part of the release we generate .md5 and .sha1 digests (as well as the pgp .asc file) and the download page http://calcite.apache.org/downloads/ references the md5 and pgp but not the sha1.
Per http://www.apache.org/dev/release-signing.html#md5-security md5 is no longer secure, and sha512 is preferred over sha256. The best approach seems to be to generate multiple digests, and generate new ones as best practices change. I think we should generate checksum file with a .mds suffix as follows:
$ gpg --print-mds apache-calcite-1.8.0-src.tar.gz | tee apache-calcite-1.8.0-src.tar.gz.mds
apache-calcite-1.8.0-src.tar.gz: MD5 = B2 5D 0C 14 8B FE 20 0C 16 47 13 96
D9 2E C4 6D
apache-calcite-1.8.0-src.tar.gz: SHA1 = 4246 C20C BAA0 6534 B628 ADCB 1D5E
3AF1 4DE4 A864
apache-calcite-1.8.0-src.tar.gz: RMD160 = ED29 BD56 D430 AD30 EB17 67CB 34C6
FCB0 47DB 58C5
apache-calcite-1.8.0-src.tar.gz: SHA224 = 40333911 B0852673 08009F4B 747C88AD
B9996629 EE9BC16E 4492F367
apache-calcite-1.8.0-src.tar.gz: SHA256 = E5C1DD83 14146A58 3AD44BAF 40F19F4C
D39A95FC E438231D 186F335B C86D6551
apache-calcite-1.8.0-src.tar.gz: SHA384 = B2619FD2 E17C1CFB 199AE44B D15E79CA
DFAC6AFF D2F00D28 851D2DA2 F07B210E
F7349BED 44524A16 4990B79D A36D2B29
apache-calcite-1.8.0-src.tar.gz: SHA512 = 18CFCA89 53874D31 80C60C6C 8D89652D
36AA1DAC 4007E113 02BCCDC3 E7465182
78B86071 431195D6 940773A7 F5314B09
5749791B 55F82E25 60C89735 29B4B468
Apache Ranger already does this; see http://ranger.apache.org/download.html.
We would no longer generate .md5 and .sha1 files, but would continue to generate the .asc file.
Attachments
Issue Links
- blocks
-
-
- Closed
-