polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <p...@nosphere.org>
Subject Re: Fwd: .sha Release Distribution Policy
Date Wed, 16 Aug 2017 09:17:10 GMT
Le 16 août 2017 11:00:31 GMT+02:00, Niclas Hedhman <hedhman@gmail.com> a écrit :
>Relevant?
>---------- Forwarded message ----------
>From: "Henk P. Penning" <penning@uu.nl>
>Date: Aug 16, 2017 10:56
>Subject: .sha Release Distribution Policy
>To: <henkp@apache.org>
>Cc:
>
>Hi PMC,
>
>   The Release Distribution Policy[1] changed regarding .sha files.
>   See under "Cryptographic Signatures and Checksums Requirements" [2].
>
>  Old policy :
>
>   -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
>
>  New policy :
>
>     -- use .sha1 for a SHA-1 checksum
>     -- use .sha256 for a SHA-256 checksum
>     -- use .sha512 for a SHA-512 checksum
>     -- [*] .sha should contain a SHA-1
>
>  Why this change ?
>
>     -- Verifying a checksum under the old policy is/was not handy.
>        You have to inspect the .sha to find out which algorithm
>        should be used ; or try them all (SHA-1, SHA256, etc).
>        The new scheme avoids this ambiguity.
>     -- The last point[*] was only added for clarity. Most of the
>        old, stale .sha's contain a SHA-1. The relatively new .sha's
>      contain a SHA-512. The expectation is that the last catagory will
>        disappear, when active projects adapt to the 'new' convention.
>
>  Impact :
>
>    -- Should be none ; many projects already use the 'new' convention.
>     -- Please ask your release managers to use .sha1, .sha256, .sha512
>        instead of the .sha extension.
>     -- Please fix your build-tools if you have any.
>
>  Piggyback :
>
>     -- The policy requires a .md5 for every package ;
>        providing a .sha512 is recommended.
>        Since MD5 is essentially broken, it is to be expected that
>        in the future a .sha512 will be required.
>        Perhaps it is wize to start providing .sha512's
>        with your releases if you do not already do so.
>
>     -- Visit http://mirror-vm.apache.org/checker/
>        to check the health of your /dist/-area ;
>        my stuff ; any feedback is most welcome.
>
>  Thanks ; regards,
>
>  Henk Penning
>
>   [1] http://www.apache.org/dev/release-distribution
>   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
>
>------------------------------------------------------------
>Henk P. Penning ; apache.org infrastructure volunteer.
>henkp@apache.org ; http://mirror-vm.apache.org/~henkp/

Yes it is.

Actually we use a 'SHA-512' extension and we should change it to 'sha512' according to the
new policy.

I'm on my phone, Niclas, would you mind creating an issue and assign it to me?
Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message