aries-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Holly Cummins <>
Subject Re: .asc.md5 & .asc.sha1 files
Date Mon, 17 Sep 2012 19:59:44 GMT
Hi Jeremy,

I was also asked to remove those files. :) It looks like the .asc.md5
and .asc.sha1 files are produced by an interaction between the GPG
plugin and the maven release plugin. I found a few Apache projects
whose release instructions said the files should be deleted, so I went
ahead and removed them, and corrected our scripts so they don't get
uploaded in future.


On Mon, Sep 17, 2012 at 3:43 PM, Jeremy Hughes <> wrote:
> It's been pointed out that we have a large number of these files in
> and that they don't serve any purpose. When
> I looked again at
> I realised we only need:
> <released artifact>
> <released artifact>.asc
> <released artifact>.md5
> <released artifact>.sha1
> in fact we probably should have .sha512 as well but that's another
> discussion. There's no need to provide hash sums of the signatures!
> So ... you can check the validity of the released artifact by
> downloading from anywhere that's serving it up as long as you compare
> the its hash with the hash in the hashsum file served out from
> Verifying the signature will go that step further by checking that the
> person who created the released artifact is in the Apache web of
> trust.
> So, I would like to remvoe the the superfluous .asc.md5 / .asc.sha1
> files and for us to not create them in our release process any longer.
> I'll remove them in 24 hours to wait for objections, if any.
> Thanks,
> Jeremy

View raw message