juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Bognar <jamesbog...@apache.org>
Subject Re: Quick question...checksums?
Date Mon, 17 Sep 2018 19:47:25 GMT
Hrm...well I thought upgrading the parent artifact to apache version 21
would give us the .sha512 files, but no luck...

https://repository.apache.org/content/repositories/orgapachejuneau-1023/org/apache/juneau/juneau-distrib/7.2.0/

Anyone have any ideas on how these are supposed to be generated?


On Mon, Sep 17, 2018 at 2:55 PM Craig Russell <apache.clr@gmail.com> wrote:

> tldr;
>
> Generating SHA512 or SHA256 is now required. Generating SHA1 and/or MD5 is
> now allowed "for a good reason".
>
> more below...
>
> On Sep 17, 2018, at 11:33 AM, Joey Frazee <jfrazee@apache.org> wrote:
>
> The interpretation of SHOULD NOT here, according to the RFC [1], is weaker
> than what most people think:
>
> "SHOULD NOT[:] This phrase, or the phrase 'NOT RECOMMENDED' mean that
> there may exist valid reasons in particular circumstances when the
> particular behavior is acceptable or even useful, but the full implications
> should be understood and the case carefully weighed before implementing any
> behavior described with this label."
>
> The obligation is to ship SHA-256 or SHA-512, not that you can’t release a
> release that has MD5 or SHA-1 somewhere or other.
>
>
> Yes.
>
> In particular, one reason to include MD5 is so Nexus doesn’t keep you from
> closing the repo.
>
>
> Yes.
>
> With Juneau's release process is there a good reason to continue to
> generate SHA1? [Other projects have downstream release consumption
> processes that require SHA1.]
>
>
> In light of all that, I think it’s ok to include the files, provided that
> the verification instructions only reference SHA-256 or SHA-512, and it’s
> probably prudent to not link the files from the download page.
>
>
> Yes. The files to not link to are the aforementioned SHA1 and MD5.
>
>
> If LEGAL has decided otherwise then the release instructions need to be
> updated to MUST NOT.
>
>
> Good summary, Joey.
>
> Craig
>
>
> 1. https://www.ietf.org/rfc/rfc2119.txt
> 2. https://www.apache.org/dev/release-distribution
> On Sep 17, 2018, 1:01 PM -0500, Gary Gregory <garydgregory@gmail.com>,
> wrote:
>
> On Mon, Sep 17, 2018 at 11:59 AM Gary Gregory <garydgregory@gmail.com>
> wrote:
>
>> On Mon, Sep 17, 2018 at 11:52 AM James Bognar <jamesbognar@apache.org>
>> wrote:
>>
>>> I think I'm confused.
>>>
>>> The checksums in the release are "*.md5" and "*.sha1":
>>>
>>> https://repository.apache.org/content/repositories/orgapachejuneau-1022/org/apache/juneau/juneau-all/7.2.0/
>>>
>>> Are the "*.sha1" files using SHA-1 or SHA-256/512?  I can't tell other
>>> than by the file names.
>>>
>>
>> That's the only way you can tell from all the Apache releases I've seen.
>> The extension .md5 means MDA and .sha1 means SHA-1. You can tell in the SHA
>> files if it's from SHA-256, SHA-512, or something else by the length of the
>> checksum.
>>
>
> For example:
> https://archive.apache.org/dist/commons/lang/binaries/commons-lang3-3.8-bin.zip.sha256
>
> Gary
>
>>
>> Gary
>>
>>
>>>
>>> Our keys are here:
>>> https://people.apache.org/keys/group/juneau.asc
>>>
>>>
>>>
>>> On Mon, Sep 17, 2018 at 1:25 PM Gary Gregory <garydgregory@gmail.com>
>>> wrote:
>>>
>>>> You must NOT ship SHA1! Only SHA-256 or 512.
>>>>
>>>> Gary
>>>>
>>>> On Mon, Sep 17, 2018 at 11:21 AM James Bognar <jamesbognar@apache.org>
>>>> wrote:
>>>>
>>>>> I believe they mentioned on the general mailing list that you only
>>>>> need to ship SHA-1 checksums and not ASC or MD5.  Can I get a quick
>>>>> confirmation on that?
>>>>>
>>>>
> Craig L Russell
> Secretary, Apache Software Foundation
> clr@apache.org http://db.apache.org/jdo
>
>

Mime
View raw message