www-site-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: svn commit: r1803496 - /infrastructure/site/trunk/content/dev/release-distribution.mdtext
Date Mon, 31 Jul 2017 09:45:12 GMT
On 31 July 2017 at 10:06,  <henkp@apache.org> wrote:
> Author: henkp
> Date: Mon Jul 31 09:06:21 2017
> New Revision: 1803496
>
> URL: http://svn.apache.org/viewvc?rev=1803496&view=rev
> Log:
> SHA-$xxx checksum files should be suffixed .sha$xxx
>
> Modified:
>     infrastructure/site/trunk/content/dev/release-distribution.mdtext
>
> Modified: infrastructure/site/trunk/content/dev/release-distribution.mdtext
> URL: http://svn.apache.org/viewvc/infrastructure/site/trunk/content/dev/release-distribution.mdtext?rev=1803496&r1=1803495&r2=1803496&view=diff
> ==============================================================================
> --- infrastructure/site/trunk/content/dev/release-distribution.mdtext (original)
> +++ infrastructure/site/trunk/content/dev/release-distribution.mdtext Mon Jul 31 09:06:21
2017
> @@ -115,7 +115,14 @@ MUST be formed by adding to the name of
>  *   the checksum by suffixing `.md5`
>
>  An [SHA](release-signing#sha-checksum) checksum SHOULD also be created and
> -MUST be suffixed `.sha`.  The checksum SHOULD be generated using `SHA512`.
> +MUST be suffixed as:
> +
> +* `.sha1` for a SHA-1 checksum
> +* `.sha256` for a SHA-256 checksum
> +* `.sha512` for a SHA-512 checksum
> +
> +The checksum SHOULD be generated using `SHA-512`.
> +A `.sha` file SHOULD contain a SHA-1 checksum, for historical reasons.

AFAICT this is a significant change to the policy.

Previously, a SHA checksums had to be in a file *.sha.
There was no option for other suffices.
Equally, there was no requirement to use SHA-1.
So *.sha files could contain SHA-1 or SHA-256 etc

I think this change needs to be communicated to PMCs and/or committers.

>  Projects MUST publish a "[`KEYS`](#release-signing#keys-policy)" file in their
>  distribution directory which contains all public keys used to sign artifacts.
>
>

Mime
View raw message