Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-22540

Change "Apache Rules" in Nexus to check for sha256/512 instead of sha1/md5

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • Nexus
    • None
    • Infrastructure

    Description

      The Release Distribution Policy (https://infra.apache.org/release-distribution) states:
      "PMCs must supply SHA-256 and/or SHA-512 and should not supply MD5 or SHA-1.".

      However, currently, the Apache Rules in Nexus appear to enforce that all files (including .zip and .tar.gz) to have .sha1 and .md5 pendants. For our project "closing" a release candidate fails with:

      Event: Failed: Checksum Validation
      typeId checksum-staging
      failureMessage Required SHA-1:
      '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1'
      failureMessage Required MD5:
      '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5'
      failureMessage Required SHA-1:
      '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1'
      failureMessage Required MD5:
      '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5'

      Can the Apache Rules in Nexus be adapted to allow or even enforce that files (other than .jar/.pom) to be signed with sha256/sha512 instead of sha1/md5?


      Attachments

        1. ShaTestContent.png
          71 kB
          Brian E Fox
        2. ShaTestBefore.png
          59 kB
          Brian E Fox
        3. ShaTestAfter.png
          31 kB
          Brian E Fox

        Issue Links

          Activity

            People

              Unassigned Unassigned
              tilmannz Tilmann Zäschke
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: