ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: .sha Release Distribution Policy
Date Thu, 17 Aug 2017 20:29:02 GMT
Guys, 

Thanks for the confirmation and taking care of this.

—
Denis

> On Aug 17, 2017, at 1:32 AM, Sergey Kozlov <skozlov@gridgain.com> wrote:
> 
> Denis
> 
> Also we don't use .sha extension so we already follow that rules
> 
> On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <oostanin@gridgain.com>
> wrote:
> 
>> Hi, Denis
>> 
>> Yes, we have a ticket that already takes this into account:
>> https://issues.apache.org/jira/browse/IGNITE-5817
>> I think we can create both sha-256 and sha-512 checksums.
>> 
>> Best regards
>> Oleg
>> 
>> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <dmagda@apache.org> wrote:
>> 
>>> Igniters, especially the release managers,
>>> 
>>> Please consider these changes and recommendations for the next release.
>> Do
>>> we have any ticket that already takes this into account?
>>> 
>>> —
>>> Denis
>>> 
>>>> Begin forwarded message:
>>>> 
>>>> From: "Henk P. Penning" <penning@uu.nl>
>>>> Subject: .sha Release Distribution Policy
>>>> Date: August 16, 2017 at 1:55:57 AM PDT
>>>> To: <henkp@apache.org>
>>>> Reply-To: private@ignite.apache.org
>>>> 
>>>> Hi PMC,
>>>> 
>>>>  The Release Distribution Policy[1] changed regarding .sha files.
>>>>  See under "Cryptographic Signatures and Checksums Requirements" [2].
>>>> 
>>>> Old policy :
>>>> 
>>>>   -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>>>> 
>>>> New policy :
>>>> 
>>>>    -- use .sha1 for a SHA-1 checksum
>>>>    -- use .sha256 for a SHA-256 checksum
>>>>    -- use .sha512 for a SHA-512 checksum
>>>>    -- [*] .sha should contain a SHA-1
>>>> 
>>>> Why this change ?
>>>> 
>>>>    -- Verifying a checksum under the old policy is/was not handy.
>>>>       You have to inspect the .sha to find out which algorithm
>>>>       should be used ; or try them all (SHA-1, SHA256, etc).
>>>>       The new scheme avoids this ambiguity.
>>>>    -- The last point[*] was only added for clarity. Most of the
>>>>       old, stale .sha's contain a SHA-1. The relatively new .sha's
>>>>       contain a SHA-512. The expectation is that the last catagory
>> will
>>>>       disappear, when active projects adapt to the 'new' convention.
>>>> 
>>>> Impact :
>>>> 
>>>>    -- Should be none ; many projects already use the 'new' convention.
>>>>    -- Please ask your release managers to use .sha1, .sha256, .sha512
>>>>       instead of the .sha extension.
>>>>    -- Please fix your build-tools if you have any.
>>>> 
>>>> Piggyback :
>>>> 
>>>>    -- The policy requires a .md5 for every package ;
>>>>       providing a .sha512 is recommended.
>>>>       Since MD5 is essentially broken, it is to be expected that
>>>>       in the future a .sha512 will be required.
>>>>       Perhaps it is wize to start providing .sha512's
>>>>       with your releases if you do not already do so.
>>>> 
>>>>    -- Visit http://mirror-vm.apache.org/checker/
>>>>       to check the health of your /dist/-area ;
>>>>       my stuff ; any feedback is most welcome.
>>>> 
>>>> Thanks ; regards,
>>>> 
>>>> Henk Penning
>>>> 
>>>>  [1] http://www.apache.org/dev/release-distribution
>>>>  [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>>>> 
>>>> ------------------------------------------------------------
>>>> Henk P. Penning ; apache.org infrastructure volunteer.
>>>> henkp@apache.org ; http://mirror-vm.apache.org/~henkp/
>>> 
>>> 
>> 
> 
> 
> 
> -- 
> Sergey Kozlov
> GridGain Systems
> www.gridgain.com


Mime
View raw message