incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: [VOTE] Release Apache Zeppelin (incubating) 0.5.0-incubating
Date Fri, 17 Jul 2015 21:51:36 GMT
Hi Cos,

Thanks for providing a thoughtfully documented review.

On Fri, Jul 17, 2015 at 2:24 PM, Konstantin Boudnik <cos@apache.org> wrote:
> +1 (binding)

> Please consider fixing in the next release:
>  - sha checksum is formatted in a way that makes automatic validation (with
>    sha512sum -c ) impossible. Also, it'd be better to make sha512 suffix for
>    the checksum file. sha is too ambiguous.
>  - md5sum file is pretty much useless considering its weak security
>    properties. Perhaps makes sense to get rid of it?

As of a few months ago, requirements regarding cryptographic sums and
signatures have been codified in a section of the Release Distribution
Policy, curated by VP Infrastructure.

  http://www.apache.org/dev/release-distribution#sigs-and-sums

If you wanted to make a proposal regarding removal of MD5 checksums,
infrastructure-dev@apache is the place to go.

The format required by sha512sum is a bit of a pain to produce on
systems where sha512sum itself is not available.  For a Mac, or any
other system where Perl is present, something like this will work:

    perl -MDigest -e '$d = Digest->new("MD5"); open $fh, \
    "<", "apache-foo-1.2.3.tar.gz" or die; $d->addfile($fh); \
    print $d->hexdigest; print "  apache-foo-1.2.3.tar.gz\n"' \
    >  apache-foo-1.2.3.tar.gz.md5

I'm sure there are other hack invocations possible with other tools.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message