juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joey Frazee <jfra...@apache.org>
Subject Re: Quick question...checksums?
Date Mon, 17 Sep 2018 18:33:31 GMT
The interpretation of SHOULD NOT here, according to the RFC [1], is weaker than what most people
think:

"SHOULD NOT[:] This phrase, or the phrase 'NOT RECOMMENDED' mean that there may exist valid
reasons in particular circumstances when the particular behavior is acceptable or even useful,
but the full implications should be understood and the case carefully weighed before implementing
any behavior described with this label."

The obligation is to ship SHA-256 or SHA-512, not that you can’t release a release that
has MD5 or SHA-1 somewhere or other.

In particular, one reason to include MD5 is so Nexus doesn’t keep you from closing the repo.

In light of all that, I think it’s ok to include the files, provided that the verification
instructions only reference SHA-256 or SHA-512, and it’s probably prudent to not link the
files from the download page.

If LEGAL has decided otherwise then the release instructions need to be updated to MUST NOT.

1. https://www.ietf.org/rfc/rfc2119.txt
2. https://www.apache.org/dev/release-distribution
On Sep 17, 2018, 1:01 PM -0500, Gary Gregory <garydgregory@gmail.com>, wrote:
> > On Mon, Sep 17, 2018 at 11:59 AM Gary Gregory <garydgregory@gmail.com> wrote:
> > > > On Mon, Sep 17, 2018 at 11:52 AM James Bognar <jamesbognar@apache.org>
wrote:
> > > > > I think I'm confused.
> > > > >
> > > > > The checksums in the release are "*.md5" and "*.sha1":
> > > > > https://repository.apache.org/content/repositories/orgapachejuneau-1022/org/apache/juneau/juneau-all/7.2.0/
> > > > >
> > > > > Are the "*.sha1" files using SHA-1 or SHA-256/512?  I can't tell
other than by the file names.
> > > >
> > > > That's the only way you can tell from all the Apache releases I've seen.
The extension .md5 means MDA and .sha1 means SHA-1. You can tell in the SHA files if it's
from SHA-256, SHA-512, or something else by the length of the checksum.
> >
> > For example: https://archive.apache.org/dist/commons/lang/binaries/commons-lang3-3.8-bin.zip.sha256
> >
> > Gary
> > > >
> > > > Gary
> > > >
> > > > >
> > > > > Our keys are here:
> > > > > https://people.apache.org/keys/group/juneau.asc
> > > > >
> > > > >
> > > > >
> > > > > > On Mon, Sep 17, 2018 at 1:25 PM Gary Gregory <garydgregory@gmail.com>
wrote:
> > > > > > > You must NOT ship SHA1! Only SHA-256 or 512.
> > > > > > >
> > > > > > > Gary
> > > > > > >
> > > > > > > > On Mon, Sep 17, 2018 at 11:21 AM James Bognar <jamesbognar@apache.org>
wrote:
> > > > > > > > > I believe they mentioned on the general mailing
list that you only need to ship SHA-1 checksums and not ASC or MD5.  Can I get a quick confirmation
on that?

Mime
View raw message