MPOM-205 creating source release checksums in target for Apache dist area

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MPOM-205 creating source release checksums in target for Apache dist area

Hervé BOUTEMY
Hi,

Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.

This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.

But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?


I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
1. only for Apache source release files
2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)

See the related Git branch [3]


Anything to add before I merge this branch to master?
And eventually launch Apache parent POM 21 release quite soon...

Regards,

Hervé


[1] http://www.apache.org/dev/release-distribution#sigs-and-sums

[2] https://issues.apache.org/jira/browse/MPOM-205

[3] https://github.com/apache/maven-apache-parent/tree/MPOM-205

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MPOM-205 creating source release checksums in target for Apache dist area

michaelo
Am 2018-08-07 um 22:50 schrieb [hidden email]:

> Hi,
>
> Recently, Apache distribution policy changed regarding checksums [1]: now, SHA-256 or SHA-512 checksums are required.
>
> This lead to discussion about changing checksums used on Maven repository and/or Apache Nexus repository.
>
> But Maven repository requirements and Apache source distribution requirements are completely independant: why tie them?
>
>
> I just implemented SHA-256 and SHA-512 checksums tracked through MPOM-205 [2]:
> 1. only for Apache source release files
> 2. only in local build, available in target/ directory (nothing related to Maven repository nor deploy)
>
> See the related Git branch [3]
>
>
> Anything to add before I merge this branch to master?
> And eventually launch Apache parent POM 21 release quite soon...

Please squash.

It is a pity to see that none of our plugins can produce the checksums.
While the requires says at least one checksum, do you see any huge
benefit having SHA512 over 256? I see none.

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MPOM-205 creating source release checksums in target for Apache dist area

Hervé BOUTEMY
In reply to this post by Hervé BOUTEMY
no objection: update merged with existing checksum-maven-plugin

the maintainer created a new 1.7 version for us to add a failIfNoFiles feature

if someone creates a plugin that is more adapted, we can change in the future

if nobody beats me at it, I'll start a release in one week from now

regards,

Hervé

----- Mail original -----
De: "Robert Scholte" <[hidden email]>
À: "Maven Developers List" <[hidden email]>
Envoyé: Mardi 7 Août 2018 23:33:31
Objet: Re: MPOM-205 creating source release checksums in target for Apache dist area

On Tue, 07 Aug 2018 23:29:04 +0200, <[hidden email]> wrote:

> squashed and kept only SHA-512
>
> Maven core plugins don't cover everything even quite generic like  
> creating checksums, that's why there are many Maven plugins out there...

Maven Resolver generates these files while deploying, so for us there was  
no real need for a specific plugin. With the different demand from ASF we  
should consider writing a maven-checksum-plugin.

Robert

>
> Regards,
>
> Hervé
>
> ----- Mail original -----
> De: "Michael Osipov" <[hidden email]>
> À: "Maven Developers List" <[hidden email]>, "herve boutemy"  
> <[hidden email]>
> Cc: [hidden email]
> Envoyé: Mardi 7 Août 2018 23:04:46
> Objet: Re: MPOM-205 creating source release checksums in target for  
> Apache dist area
>
> Am 2018-08-07 um 22:50 schrieb [hidden email]:
>> Hi,
>>
>> Recently, Apache distribution policy changed regarding checksums [1]:  
>> now, SHA-256 or SHA-512 checksums are required.
>>
>> This lead to discussion about changing checksums used on Maven  
>> repository and/or Apache Nexus repository.
>>
>> But Maven repository requirements and Apache source distribution  
>> requirements are completely independant: why tie them?
>>
>>
>> I just implemented SHA-256 and SHA-512 checksums tracked through  
>> MPOM-205 [2]:
>> 1. only for Apache source release files
>> 2. only in local build, available in target/ directory (nothing related  
>> to Maven repository nor deploy)
>>
>> See the related Git branch [3]
>>
>>
>> Anything to add before I merge this branch to master?
>> And eventually launch Apache parent POM 21 release quite soon...
>
> Please squash.
>
> It is a pity to see that none of our plugins can produce the checksums.
> While the requires says at least one checksum, do you see any huge
> benefit having SHA512 over 256? I see none.
>
> Michael
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]