ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Kozlov <skoz...@gridgain.com>
Subject Re: .sha Release Distribution Policy
Date Thu, 17 Aug 2017 08:32:39 GMT
Denis

Also we don't use .sha extension so we already follow that rules

On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <oostanin@gridgain.com>
wrote:

> Hi, Denis
>
> Yes, we have a ticket that already takes this into account:
> https://issues.apache.org/jira/browse/IGNITE-5817
> I think we can create both sha-256 and sha-512 checksums.
>
> Best regards
> Oleg
>
> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <dmagda@apache.org> wrote:
>
> > Igniters, especially the release managers,
> >
> > Please consider these changes and recommendations for the next release.
> Do
> > we have any ticket that already takes this into account?
> >
> > —
> > Denis
> >
> > > Begin forwarded message:
> > >
> > > From: "Henk P. Penning" <penning@uu.nl>
> > > Subject: .sha Release Distribution Policy
> > > Date: August 16, 2017 at 1:55:57 AM PDT
> > > To: <henkp@apache.org>
> > > Reply-To: private@ignite.apache.org
> > >
> > > Hi PMC,
> > >
> > >   The Release Distribution Policy[1] changed regarding .sha files.
> > >   See under "Cryptographic Signatures and Checksums Requirements" [2].
> > >
> > >  Old policy :
> > >
> > >    -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
> > >
> > >  New policy :
> > >
> > >     -- use .sha1 for a SHA-1 checksum
> > >     -- use .sha256 for a SHA-256 checksum
> > >     -- use .sha512 for a SHA-512 checksum
> > >     -- [*] .sha should contain a SHA-1
> > >
> > >  Why this change ?
> > >
> > >     -- Verifying a checksum under the old policy is/was not handy.
> > >        You have to inspect the .sha to find out which algorithm
> > >        should be used ; or try them all (SHA-1, SHA256, etc).
> > >        The new scheme avoids this ambiguity.
> > >     -- The last point[*] was only added for clarity. Most of the
> > >        old, stale .sha's contain a SHA-1. The relatively new .sha's
> > >        contain a SHA-512. The expectation is that the last catagory
> will
> > >        disappear, when active projects adapt to the 'new' convention.
> > >
> > >  Impact :
> > >
> > >     -- Should be none ; many projects already use the 'new' convention.
> > >     -- Please ask your release managers to use .sha1, .sha256, .sha512
> > >        instead of the .sha extension.
> > >     -- Please fix your build-tools if you have any.
> > >
> > >  Piggyback :
> > >
> > >     -- The policy requires a .md5 for every package ;
> > >        providing a .sha512 is recommended.
> > >        Since MD5 is essentially broken, it is to be expected that
> > >        in the future a .sha512 will be required.
> > >        Perhaps it is wize to start providing .sha512's
> > >        with your releases if you do not already do so.
> > >
> > >     -- Visit http://mirror-vm.apache.org/checker/
> > >        to check the health of your /dist/-area ;
> > >        my stuff ; any feedback is most welcome.
> > >
> > >  Thanks ; regards,
> > >
> > >  Henk Penning
> > >
> > >   [1] http://www.apache.org/dev/release-distribution
> > >   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
> > >
> > > ------------------------------------------------------------
> > > Henk P. Penning ; apache.org infrastructure volunteer.
> > > henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
> >
> >
>



-- 
Sergey Kozlov
GridGain Systems
www.gridgain.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message