incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jh...@apache.org>
Subject Digests in releases
Date Wed, 30 Aug 2017 21:08:42 GMT
What is the correct forum for discussing release distribution policy?

Current policy [1] states:

  Every artifact distributed to the public through Apache channels MUST
  be accompanied by one file containing an OpenPGP compatible ASCII
  armored detached signature and another file containing an MD5 checksum.

  ...

  An SHA checksum SHOULD also be created.


MD5 is no longer deemed secure[2]. I think we should remove it from
our releases and mandate SHA256 or SHA512.

Julian

[1] http://www.apache.org/dev/release-distribution.html#sigs-and-sums

[2] https://en.wikipedia.org/wiki/Md5sum

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message