Re: Change of checksum policy in Apache

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Change of checksum policy in Apache

Hervé BOUTEMY
Le dimanche 18 mars 2018, 13:14:12 CET Karl Heinz Marbaise a écrit :

> Hi to all,
>
> based on the checksum policy change in ASF[1] I would like to ask what
> you think would be the best way to go. I have summarized my thoughts on
> that...maybe you have some suggestions/supplementals etc.
>
>
> Currently we have at least md5's in your release plugin repo[2] which
> means we should add sha1 / sha256 etc. (or maybe replace it with sha256
> or sha512) to that repository...which can be done more or less easy...
>
> The more unconvenient part is that we need to change our download
> template in each plugin repo which only references .md5...
this is where the Google repo configuration to checkout everything is handy:
you can then easily do update automation

>
> For the maven core itself there are already sha256 checksums for the
> 3.5.3 release available but they are not used on the download page which
> needs to be changed...
>
> ToDo's:
>
> 1. Change the download page for Maven Core using sha256[3]
>     Starting with 3.5.3..
>
> 2. Change all plugins in dist. repo and add sha256 checksums
>     Maybe we should change that for all artifacts in the dist repository
>     ( think this can be done by a script).
you'll need to change dist-tool also, since it currently absolutely wants a
.md5

>
> 3. Change the maven-install/maven-deploy plugin and move checksum
>     generation to maven-deploy-plugin (change artifact-transfer component
>     accordingly; working on that)[4]. Change to create sha1/sha256 only.
IMHO, there is here a mix of concerns: these plugins are not about Apache
source dist policy, but about Maven repository format.
It's wiser IMHO to let this for another discussion.

>
>     From my point of view it makes sense to change that with version
>     3.0.0 of maven-install/maven-deploy plugin...
>
>     For the first inital release the sha1/sha256 needed to be added
>     manually to the release (need to check if this works with the
>     repository manager?)
>
> 4. Summarize the changes/issues which can result from a change
>     like that. Predict possible issues (If we can?)
like dist-tool :)

>
> 5. Change our release procedure to create sha256/sha512(whatever
>     we find usefull?) checksums and remove md5 for all components
>     might be already done by 3 (If I correctly read that).
>
> 6. Change the download template in the repositories to use
>     sha1/sha256 instead of md5.
>
>
> Kind regards
> Karl Heinz Marbaise
>
> [1]: https://www.apache.org/dev/release-distribution.html#sigs-and-sums
> [2]: https://dist.apache.org/repos/dist/release/maven/plugins/
> [3]: https://issues.apache.org/jira/browse/MNGSITE-327
> [4]: https://issues.apache.org/jira/browse/MNGSITE-328
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]