community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: SHA512 by default for GPG sigs
Date Wed, 18 May 2016 20:46:44 GMT
Yes, that is correct. I'm referring to the ASF-wide parent pom.

If I understand the situation correctly, releases of that POM are managed
by the Maven PMC, but because of it's utility throughout the ASF, Hervé
Boutemy had commented on MPOM-118 that it should be brought to the
attention of a larger audience. This thread is the result of his
observation. :)

But there is no harm done. Thanks for providing an opportunity to clarify.

On Wed, May 18, 2016 at 3:26 PM Greg Trasuk <trasukg@stratuscom.com> wrote:

> Whoops.  Sorry about that.
>
> Greg
>
> > On May 18, 2016, at 2:50 PM, Benson Margulies <bimargulies@gmail.com>
> wrote:
> >
> > Greg, the proposal is for the _Default ASF POM_ to be set up so that
> > _all_ projects would use SHA-512. This is not a question for the Maven
> > PMC.
> >
> > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <trasukg@stratuscom.com>
> wrote:
> >>
> >> Hi Christopher:
> >>
> >> Thanks for your involvement.  Apache Maven is one of many projects at
> the Apache Software Foundation.  Each project has its own mailing lists.
> So your discussion should probably go to dev@maven.apache.org, which I’ve
> cc’d on this response.  If you’re not subscribed to that list, you probably
> should do that as well - check the Apache Maven web site (
> http://maven.apache.org) for more info.
> >>
> >> Thanks again,
> >>
> >> Greg Trasuk
> >>
> >>> On May 18, 2016, at 1:45 PM, Christopher <ctubbsii@apache.org> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I'm not sure a better list to get feedback on, but I wanted to bring
> >>> attention to the proposal here:
> >>> https://issues.apache.org/jira/browse/MPOM-118
> >>>
> >>> Essentially this is a suggestion to configure the maven-gpg-plugin to
> sign
> >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by
> many
> >>> Maven/Java-based projects within ASF. This configuration takes affect
> >>> during software releases when this plugin is activated (typically
> prior to
> >>> a release candidate vote, and staging a release in Nexus for
> distribution
> >>> to Maven Central).
> >>>
> >>> This would only affect the hash algorithm used to generate GPG
> signatures
> >>> for releases, and not any separate SHA/MD hashes published separately
> by
> >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
> >>> convey the strong authenticity statement that digital signatures
> provide.
> >>>
> >>> For background, gpg uses SHA1 by default, unless the signing key or gpg
> >>> configuration has a preference to use another algorithm (as described
> on
> >>> https://www.apache.org/dev/openpgp).
> >>>
> >>> This proposed configuration change wouldn't force the use of SHA512 (it
> >>> could still be overridden by a project), but it would make it the
> default,
> >>> which helps improve the security of releases in the case where release
> >>> managers have failed to keep their configuration up-to-date with the
> best
> >>> recommendations for using gpg.
> >>>
> >>> Thoughts? +1s? Discuss here or on the JIRA please.
> >>>
> >>> Thank you.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> >> For additional commands, e-mail: dev-help@maven.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > For additional commands, e-mail: dev-help@maven.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message