Le dimanche 18 mars 2018, 13:14:12 CET Karl Heinz Marbaise a écrit :
> Hi to all,
> based on the checksum policy change in ASF I would like to ask what
> you think would be the best way to go. I have summarized my thoughts on
> that...maybe you have some suggestions/supplementals etc.
> Currently we have at least md5's in your release plugin repo which
> means we should add sha1 / sha256 etc. (or maybe replace it with sha256
> or sha512) to that repository...which can be done more or less easy...
> The more unconvenient part is that we need to change our download
> template in each plugin repo which only references .md5...
this is where the Google repo configuration to checkout everything is handy:
you can then easily do update automation
> For the maven core itself there are already sha256 checksums for the
> 3.5.3 release available but they are not used on the download page which
> needs to be changed...
> 1. Change the download page for Maven Core using sha256
> Starting with 3.5.3..
> 2. Change all plugins in dist. repo and add sha256 checksums
> Maybe we should change that for all artifacts in the dist repository
> ( think this can be done by a script).
you'll need to change dist-tool also, since it currently absolutely wants a
> 3. Change the maven-install/maven-deploy plugin and move checksum
> generation to maven-deploy-plugin (change artifact-transfer component
> accordingly; working on that). Change to create sha1/sha256 only.
IMHO, there is here a mix of concerns: these plugins are not about Apache
source dist policy, but about Maven repository format.
It's wiser IMHO to let this for another discussion.
> From my point of view it makes sense to change that with version
> 3.0.0 of maven-install/maven-deploy plugin...
> For the first inital release the sha1/sha256 needed to be added
> manually to the release (need to check if this works with the
> repository manager?)
> 4. Summarize the changes/issues which can result from a change
> like that. Predict possible issues (If we can?)