juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Bognar <jamesbog...@apache.org>
Subject Re: Quick question...checksums?
Date Mon, 17 Sep 2018 20:32:32 GMT
Okay, I just manually generated it using the following command...

gpg --print-md SHA512 apache-juneau-${X_VERSION}-src.zip >
apache-juneau-${X_VERSION}-src.zip.sha512


I've added this to the release instructions.  Hopefully I got it correct.


On Mon, Sep 17, 2018 at 3:47 PM James Bognar <jamesbognar@apache.org> wrote:

> Hrm...well I thought upgrading the parent artifact to apache version 21
> would give us the .sha512 files, but no luck...
>
>
> https://repository.apache.org/content/repositories/orgapachejuneau-1023/org/apache/juneau/juneau-distrib/7.2.0/
>
> Anyone have any ideas on how these are supposed to be generated?
>
>
> On Mon, Sep 17, 2018 at 2:55 PM Craig Russell <apache.clr@gmail.com>
> wrote:
>
>> tldr;
>>
>> Generating SHA512 or SHA256 is now required. Generating SHA1 and/or MD5
>> is now allowed "for a good reason".
>>
>> more below...
>>
>> On Sep 17, 2018, at 11:33 AM, Joey Frazee <jfrazee@apache.org> wrote:
>>
>> The interpretation of SHOULD NOT here, according to the RFC [1], is
>> weaker than what most people think:
>>
>> "SHOULD NOT[:] This phrase, or the phrase 'NOT RECOMMENDED' mean that
>> there may exist valid reasons in particular circumstances when the
>> particular behavior is acceptable or even useful, but the full implications
>> should be understood and the case carefully weighed before implementing any
>> behavior described with this label."
>>
>> The obligation is to ship SHA-256 or SHA-512, not that you can’t release
>> a release that has MD5 or SHA-1 somewhere or other.
>>
>>
>> Yes.
>>
>> In particular, one reason to include MD5 is so Nexus doesn’t keep you
>> from closing the repo.
>>
>>
>> Yes.
>>
>> With Juneau's release process is there a good reason to continue to
>> generate SHA1? [Other projects have downstream release consumption
>> processes that require SHA1.]
>>
>>
>> In light of all that, I think it’s ok to include the files, provided that
>> the verification instructions only reference SHA-256 or SHA-512, and it’s
>> probably prudent to not link the files from the download page.
>>
>>
>> Yes. The files to not link to are the aforementioned SHA1 and MD5.
>>
>>
>> If LEGAL has decided otherwise then the release instructions need to be
>> updated to MUST NOT.
>>
>>
>> Good summary, Joey.
>>
>> Craig
>>
>>
>> 1. https://www.ietf.org/rfc/rfc2119.txt
>> 2. https://www.apache.org/dev/release-distribution
>> On Sep 17, 2018, 1:01 PM -0500, Gary Gregory <garydgregory@gmail.com>,
>> wrote:
>>
>> On Mon, Sep 17, 2018 at 11:59 AM Gary Gregory <garydgregory@gmail.com>
>> wrote:
>>
>>> On Mon, Sep 17, 2018 at 11:52 AM James Bognar <jamesbognar@apache.org>
>>> wrote:
>>>
>>>> I think I'm confused.
>>>>
>>>> The checksums in the release are "*.md5" and "*.sha1":
>>>>
>>>> https://repository.apache.org/content/repositories/orgapachejuneau-1022/org/apache/juneau/juneau-all/7.2.0/
>>>>
>>>> Are the "*.sha1" files using SHA-1 or SHA-256/512?  I can't tell other
>>>> than by the file names.
>>>>
>>>
>>> That's the only way you can tell from all the Apache releases I've seen.
>>> The extension .md5 means MDA and .sha1 means SHA-1. You can tell in the SHA
>>> files if it's from SHA-256, SHA-512, or something else by the length of the
>>> checksum.
>>>
>>
>> For example:
>> https://archive.apache.org/dist/commons/lang/binaries/commons-lang3-3.8-bin.zip.sha256
>>
>> Gary
>>
>>>
>>> Gary
>>>
>>>
>>>>
>>>> Our keys are here:
>>>> https://people.apache.org/keys/group/juneau.asc
>>>>
>>>>
>>>>
>>>> On Mon, Sep 17, 2018 at 1:25 PM Gary Gregory <garydgregory@gmail.com>
>>>> wrote:
>>>>
>>>>> You must NOT ship SHA1! Only SHA-256 or 512.
>>>>>
>>>>> Gary
>>>>>
>>>>> On Mon, Sep 17, 2018 at 11:21 AM James Bognar <jamesbognar@apache.org>
>>>>> wrote:
>>>>>
>>>>>> I believe they mentioned on the general mailing list that you only
>>>>>> need to ship SHA-1 checksums and not ASC or MD5.  Can I get a quick
>>>>>> confirmation on that?
>>>>>>
>>>>>
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> clr@apache.org http://db.apache.org/jdo
>>
>>

Mime
View raw message