incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Digests in releases
Date Wed, 30 Aug 2017 23:12:01 GMT
On 30 August 2017 at 22:08, Julian Hyde <jhyde@apache.org> wrote:
> What is the correct forum for discussing release distribution policy?
>
> Current policy [1] states:
>
>   Every artifact distributed to the public through Apache channels MUST
>   be accompanied by one file containing an OpenPGP compatible ASCII
>   armored detached signature and another file containing an MD5 checksum.
>
>   ...
>
>   An SHA checksum SHOULD also be created.
>
>
> MD5 is no longer deemed secure[2]. I think we should remove it from
> our releases and mandate SHA256 or SHA512.

Surely the main purpose of the hash is to check that the download has
been successful.
As such, MD5 is adequate.

> Julian
>
> [1] http://www.apache.org/dev/release-distribution.html#sigs-and-sums
>
> [2] https://en.wikipedia.org/wiki/Md5sum
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message