Return-Path: X-Original-To: apmail-nifi-dev-archive@minotaur.apache.org Delivered-To: apmail-nifi-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1892319F94 for ; Thu, 14 Apr 2016 16:13:07 +0000 (UTC) Received: (qmail 54485 invoked by uid 500); 14 Apr 2016 16:13:06 -0000 Delivered-To: apmail-nifi-dev-archive@nifi.apache.org Received: (qmail 54435 invoked by uid 500); 14 Apr 2016 16:13:06 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 54423 invoked by uid 99); 14 Apr 2016 16:13:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Apr 2016 16:13:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 3C008C0E0E for ; Thu, 14 Apr 2016 16:13:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id MS_AEIG8IVxW for ; Thu, 14 Apr 2016 16:13:04 +0000 (UTC) Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B49905FAEA for ; Thu, 14 Apr 2016 16:13:03 +0000 (UTC) Received: by mail-wm0-f46.google.com with SMTP id v188so227362487wme.1 for ; Thu, 14 Apr 2016 09:13:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ABZlNKClIGSBzq2adh2N/Tno8KCaYAhrsxBX52GnUNo=; b=APcGI+d3bnAzjVgoYY0kEwjjBk27o/Tr8eDn1PLfJau+WgSPlCC02YwhBbIHS9Xi3n FYvWcNpG0MYW+hg0lz7t+kaCQ2vc7IkVAlGWlgpTBfcCItrF5mUtZuLM48HMzR01B9Uu jrVXdqCk1U4n1X/Ip7TshF6h0tMT20VyrzKnSE5amYrn6+BdhboMy8VwkmucNCcYOySE tmh7k1VEEX30SBumpW1G3Cj70+XNufk0pg7U5sGfJAR7P7KrSACs/tEBvQVk7hgE8vhu QhGmiOzkdfsaP69VlsYm/UjSumE8ji8jP/z8X9hEVq9HbndVoBjnys8TE0yAfwdWW/3Y 9ZRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ABZlNKClIGSBzq2adh2N/Tno8KCaYAhrsxBX52GnUNo=; b=gzhJZ3xh8Z6Q+cxZjTWtZtQTqpWQiz0x3/fDD6e6qXBRxgFgdMqlUyOag+LWh6Bbuw iIaeTSd1XfESE28USx2MEpTaYKmwED3uNUY6EJiy5gAdIfD2PFdBv5QeU5YPEZgAG51v pPC7pCDCsSzeOJbOtb/XSihuErWkUJOKmVRNlDD/pC4BW2o1xsmHT+9O2eG1xCKDfCEJ WJfYEeAnX+gXdvm9yvy9YFzql4rsPknU8rcRHUll2Ri+2m06sbprOeZwll0MeoVr8uqI aTqpQPWL3J4PP9huJPoGTf8HxLMjogO5g95xJfmyJgQ+yfFb3bTDyxVhbuDxHK3sIS2W eKLQ== X-Gm-Message-State: AOPr4FX/jgC4qGFLySLB2zY6fnZU3vLSJpIPPZ2zMook76JSelFtLaA7e7WnpNQcVIVY0sOAQLU8faJGBxO4HA== X-Received: by 10.194.90.229 with SMTP id bz5mr18205694wjb.143.1460650382361; Thu, 14 Apr 2016 09:13:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.113.196 with HTTP; Thu, 14 Apr 2016 09:12:22 -0700 (PDT) In-Reply-To: <20464135.305988.1460636697546.JavaMail.yahoo@mail.yahoo.com> References: <20464135.305988.1460636697546.JavaMail.yahoo@mail.yahoo.com> From: Pierre Villard Date: Thu, 14 Apr 2016 18:12:22 +0200 Message-ID: Subject: Re: [VOTE] Incorporate SHA256 part of release process To: dev , Joe Percivall Content-Type: multipart/alternative; boundary=047d7bfd012a2e989f0530742b31 --047d7bfd012a2e989f0530742b31 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable +1 Pierre 2016-04-14 14:24 GMT+02:00 Joe Percivall : > +1 > - - - - - - Joseph Percivalllinkedin.com/in/Percivalle: > joepercivall@yahoo.com > > > On Thursday, April 14, 2016 7:55 AM, Joe Skora > wrote: > > > +1 for SHA256 > > Whatever process produces the checksums it would be nice if the checksum > files could be made compatible with the "--check" option on the md5sum, > sha1sum, and sha256sum commands to simplify validation. > > That format is "". With the checksum i= n > that format, running "md5sum --check .md5" will checksum > and verify its checksum matches the expectations. This then > outputs either ": OK" or ": FAILED" eliminating the > need to eyeball checksums and also making it easier to script the > validation if needed. > > > > On Wed, Apr 13, 2016 at 11:20 PM, Andy LoPresto < > alopresto.apache@gmail.com> > wrote: > > > Fair enough. OpenSSL is pretty universal, but there are also OS-specifi= c > > commands to perform the same task. > > > > Andy LoPresto > > alopresto.apache@gmail.com > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > > On Apr 13, 2016, at 20:13, Aldrin Piri wrote: > > > > > > As far as the wrapper script, I'm in favor of the manual process for > the > > > SHA256. The arbitrary shell commands/processes in the Maven build fe= el > > too > > > brittle across operating systems and this is multiplied in conjunctio= n > > with > > > a maintained follow on script(s). Overall would prefer just incurrin= g > > the > > > "expense" on the RM to do so manually once these artifacts have been > > > generated through the process currently in place. > > > > > >> On Wed, Apr 13, 2016 at 9:58 PM, Andy LoPresto > > wrote: > > >> > > >> Tony, > > >> > > >> That=E2=80=99s definitely a valid concern that I=E2=80=99m sure bene= fits all release > > >> managers to review. The conversation below is regarding the checksum= s > > for > > >> data integrity only; not the underlying hash used in the GPG signatu= re > > >> process. > > >> > > >> Andy LoPresto > > >> alopresto@apache.org > > >> *alopresto.apache@gmail.com * > > >> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > >> > > >> On Apr 13, 2016, at 6:50 PM, Tony Kurc wrote: > > >> > > >> I was under the impression not using SHA-1 WAS part of our release, > > when we > > >> were gpg signing (based off of [1]), which I assumed was the preferr= ed > > form > > >> of assuring an artifact was not "bad". However, it looks like it isn= 't > > in > > >> our checklist to confirm that SHA-1 wasn't used to make the digital > > >> signature, and it looks like 0.6.1 is using SHA1. > > >> > > >> > > >> 1. http://www.apache.org/dev/openpgp.html#key-gen-avoid-sha1 > > >> > > >> > > >> > > >> > > >> On Wed, Apr 13, 2016 at 9:13 PM, Aldrin Piri > > wrote: > > >> > > >> This was mentioned in the vote thread for the RC2 release and wanted > to > > >> separate it out to keep the release messaging streamlined. As > mentioned > > by > > >> Andy, the MD5 and SHA1 are subject to collisions. From another > > viewpoint, I > > >> like having this as part of the official release process as I > typically > > >> generate this myself when updating the associated Homebrew formula > with > > no > > >> real connection to the artifacts created other than me saying so. > > >> > > >> The drawback is that the Maven plugins that drives the release > > >> unfortunately does not support SHA-256.[1] As a result this would fa= ll > > on > > >> the RM to do so but could easily be added to the documentation we ha= ve > > >> until the linked ticket is resolved. > > >> > > >> This vote will be a lazy consensus and remain open for 72 hours. > > >> > > >> > > >> [1] https://issues.apache.org/jira/browse/MINSTALL-82 > > >> > > >> > > >> > > > > > --047d7bfd012a2e989f0530742b31--