based on the checksum policy change in ASF I would like to ask what
you think would be the best way to go. I have summarized my thoughts on
that...maybe you have some suggestions/supplementals etc.
Currently we have at least md5's in your release plugin repo which
means we should add sha1 / sha256 etc. (or maybe replace it with sha256
or sha512) to that repository...which can be done more or less easy...
The more unconvenient part is that we need to change our download
template in each plugin repo which only references .md5...
For the maven core itself there are already sha256 checksums for the
3.5.3 release available but they are not used on the download page which
needs to be changed...
1. Change the download page for Maven Core using sha256
Starting with 3.5.3..
2. Change all plugins in dist. repo and add sha256 checksums
Maybe we should change that for all artifacts in the dist repository
( think this can be done by a script).
3. Change the maven-install/maven-deploy plugin and move checksum
generation to maven-deploy-plugin (change artifact-transfer component
accordingly; working on that). Change to create sha1/sha256 only.
From my point of view it makes sense to change that with version
3.0.0 of maven-install/maven-deploy plugin...
For the first inital release the sha1/sha256 needed to be added
manually to the release (need to check if this works with the
4. Summarize the changes/issues which can result from a change
like that. Predict possible issues (If we can?)
5. Change our release procedure to create sha256/sha512(whatever
we find usefull?) checksums and remove md5 for all components
might be already done by 3 (If I correctly read that).
6. Change the download template in the repositories to use
sha1/sha256 instead of md5.