Re: Change of checksum policy in Apache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Change of checksum policy in Apache

Le dimanche 18 mars 2018, 13:14:12 CET Karl Heinz Marbaise a écrit :

> Hi to all,
> based on the checksum policy change in ASF[1] I would like to ask what
> you think would be the best way to go. I have summarized my thoughts on
> that...maybe you have some suggestions/supplementals etc.
> Currently we have at least md5's in your release plugin repo[2] which
> means we should add sha1 / sha256 etc. (or maybe replace it with sha256
> or sha512) to that repository...which can be done more or less easy...
> The more unconvenient part is that we need to change our download
> template in each plugin repo which only references .md5...
this is where the Google repo configuration to checkout everything is handy:
you can then easily do update automation

> For the maven core itself there are already sha256 checksums for the
> 3.5.3 release available but they are not used on the download page which
> needs to be changed...
> ToDo's:
> 1. Change the download page for Maven Core using sha256[3]
>     Starting with 3.5.3..
> 2. Change all plugins in dist. repo and add sha256 checksums
>     Maybe we should change that for all artifacts in the dist repository
>     ( think this can be done by a script).
you'll need to change dist-tool also, since it currently absolutely wants a

> 3. Change the maven-install/maven-deploy plugin and move checksum
>     generation to maven-deploy-plugin (change artifact-transfer component
>     accordingly; working on that)[4]. Change to create sha1/sha256 only.
IMHO, there is here a mix of concerns: these plugins are not about Apache
source dist policy, but about Maven repository format.
It's wiser IMHO to let this for another discussion.

>     From my point of view it makes sense to change that with version
>     3.0.0 of maven-install/maven-deploy plugin...
>     For the first inital release the sha1/sha256 needed to be added
>     manually to the release (need to check if this works with the
>     repository manager?)
> 4. Summarize the changes/issues which can result from a change
>     like that. Predict possible issues (If we can?)
like dist-tool :)

> 5. Change our release procedure to create sha256/sha512(whatever
>     we find usefull?) checksums and remove md5 for all components
>     might be already done by 3 (If I correctly read that).
> 6. Change the download template in the repositories to use
>     sha1/sha256 instead of md5.
> Kind regards
> Karl Heinz Marbaise
> [1]:
> [2]:
> [3]:
> [4]:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]