[SPARK-23601] Remove .md5 files from release - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.3.1, 2.4.0
Component/s: Build
Labels:
None

Target Version/s:

2.4.0

Description

Per email from Henk to PMCs:

   The Release Distribution Policy[1] changed regarding checksum files.
    See under "Cryptographic Signatures and Checksums Requirements" [2].

      MD5-file == a .md5 file
      SHA-file == a .sha1, sha256 or .sha512 file

   Old policy :

      -- MUST provide a MD5-file
      -- SHOULD provide a SHA-file [SHA-512 recommended]

   New policy :

      -- MUST provide a SHA- or MD5-file
      -- SHOULD provide a SHA-file
      -- SHOULD NOT provide a MD5-file

      Providing MD5 checksum files is now discouraged for new releases,
      but still allowed for past releases.

   Why this change :

      -- MD5 is broken for many purposes ; we should move away from it.
         https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues

   Impact for PMCs :

      -- for new releases :
         -- please do provide a SHA-file (one or more, if you like)
         -- do NOT provide a MD5-file

      -- for past releases :
         -- you are not required to change anything
         -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
            it would be nice if you removed the MD5-file

      -- if, at the moment, you provide MD5-files,
         please adjust your release tooling.

Attachments

Issue Links

links to

[Github] Pull Request #20737 (srowen)

[Github] Pull Request #21338 (vanzin)

Activity

People

Assignee:: Sean R. Owen

Reporter:: Sean R. Owen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Mar/18 13:49

Updated:: 15/May/18 21:08

Resolved:: 06/Mar/18 15:06