Change of checksum policy in Apache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Change of checksum policy in Apache

Karl Heinz Marbaise-3
Hi to all,

based on the checksum policy change in ASF[1] I would like to ask what
you think would be the best way to go. I have summarized my thoughts on
that...maybe you have some suggestions/supplementals etc.


Currently we have at least md5's in your release plugin repo[2] which
means we should add sha1 / sha256 etc. (or maybe replace it with sha256
or sha512) to that repository...which can be done more or less easy...

The more unconvenient part is that we need to change our download
template in each plugin repo which only references .md5...

For the maven core itself there are already sha256 checksums for the
3.5.3 release available but they are not used on the download page which
needs to be changed...

ToDo's:

1. Change the download page for Maven Core using sha256[3]
    Starting with 3.5.3..

2. Change all plugins in dist. repo and add sha256 checksums
    Maybe we should change that for all artifacts in the dist repository
    ( think this can be done by a script).

3. Change the maven-install/maven-deploy plugin and move checksum
    generation to maven-deploy-plugin (change artifact-transfer component
    accordingly; working on that)[4]. Change to create sha1/sha256 only.

    From my point of view it makes sense to change that with version
    3.0.0 of maven-install/maven-deploy plugin...

    For the first inital release the sha1/sha256 needed to be added
    manually to the release (need to check if this works with the
    repository manager?)

4. Summarize the changes/issues which can result from a change
    like that. Predict possible issues (If we can?)

5. Change our release procedure to create sha256/sha512(whatever
    we find usefull?) checksums and remove md5 for all components
    might be already done by 3 (If I correctly read that).

6. Change the download template in the repositories to use
    sha1/sha256 instead of md5.


Kind regards
Karl Heinz Marbaise

[1]: https://www.apache.org/dev/release-distribution.html#sigs-and-sums
[2]: https://dist.apache.org/repos/dist/release/maven/plugins/
[3]: https://issues.apache.org/jira/browse/MNGSITE-327
[4]: https://issues.apache.org/jira/browse/MNGSITE-328


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]