incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: [VOTE] Release Apache Zeppelin (incubating) 0.5.0-incubating
Date Fri, 17 Jul 2015 21:51:36 GMT
Hi Cos,

Thanks for providing a thoughtfully documented review.

On Fri, Jul 17, 2015 at 2:24 PM, Konstantin Boudnik <> wrote:
> +1 (binding)

> Please consider fixing in the next release:
>  - sha checksum is formatted in a way that makes automatic validation (with
>    sha512sum -c ) impossible. Also, it'd be better to make sha512 suffix for
>    the checksum file. sha is too ambiguous.
>  - md5sum file is pretty much useless considering its weak security
>    properties. Perhaps makes sense to get rid of it?

As of a few months ago, requirements regarding cryptographic sums and
signatures have been codified in a section of the Release Distribution
Policy, curated by VP Infrastructure.

If you wanted to make a proposal regarding removal of MD5 checksums,
infrastructure-dev@apache is the place to go.

The format required by sha512sum is a bit of a pain to produce on
systems where sha512sum itself is not available.  For a Mac, or any
other system where Perl is present, something like this will work:

    perl -MDigest -e '$d = Digest->new("MD5"); open $fh, \
    "<", "apache-foo-1.2.3.tar.gz" or die; $d->addfile($fh); \
    print $d->hexdigest; print "  apache-foo-1.2.3.tar.gz\n"' \
    >  apache-foo-1.2.3.tar.gz.md5

I'm sure there are other hack invocations possible with other tools.

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message