Fwd: checksum file Release Distribution Policy

Igniters,

Do we comply with the next release requirements? Vladimir as a 2.4 release
manager, could you double check that we are in a good state?

--
Denis
---------- Forwarded message ----------
From: Henk P. Penning <[hidden email]>
Date: Mon, Mar 5, 2018 at 3:18 AM
Subject: checksum file Release Distribution Policy
To: [hidden email]


Hi Pmcs,

   The Release Distribution Policy[1] changed regarding checksum files.
   See under "Cryptographic Signatures and Checksums Requirements" [2].

     MD5-file == a .md5 file
     SHA-file == a .sha1, sha256 or .sha512 file

  Old policy :

     -- MUST provide a MD5-file
     -- SHOULD provide a SHA-file [SHA-512 recommended]

  New policy :

     -- MUST provide a SHA- or MD5-file
     -- SHOULD provide a SHA-file
     -- SHOULD NOT provide a MD5-file

     Providing MD5 checksum files is now discouraged for new releases,
     but still allowed for past releases.

  Why this change :

     -- MD5 is broken for many purposes ; we should move away from it.
        https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues

  Impact for PMCs :

     -- for new releases :
        -- please do provide a SHA-file (one or more, if you like)
        -- do NOT provide a MD5-file

     -- for past releases :
        -- you are not required to change anything
        -- for artifacts accompanied by a SHA-file /and/ a MD5-file,
           it would be nice if you removed the MD5-file

     -- if, at the moment, you provide MD5-files,
        please adjust your release tooling.

  Please mail me ([hidden email]) if you have any questions etc.

  FYI :

   Many projects are not (entirely, strictly) checksum file compliant.
   For an overview/inventory (by project) see :

    https://checker.apache.org/dist/unsummed.html

  At the moment :

     -- no checksum : 176 packages in 28 projects ; non-compliant
     -- only MD5    : 495 packages in 44 projects ; update tooling
     -- only SHA    : 135 packages in 13 projects ; now comliant

   In many cases, only a few (among many) checksum file are missing ;
   you may want to fix that.

   [1] http://www.apache.org/dev/release-distribution
   [2] http://www.apache.org/dev/release-distribution#sigs-and-sums

  Thanks, groeten,

  Henk Penning -- apache.org infrastructure ; dist & mirrors.

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL
<https://maps.google.com/?q=Leuvenlaan+4,+3584CE+Utrecht,+NL&entry=gmail&source=g>
        F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M [hidden email]     \_/

On Mon, Mar 5, 2018 at 12:57 PM, Denis Magda <[hidden email]> wrote:

> Igniters,
>
> Do we comply with the next release requirements? Vladimir as a 2.4 release
> manager, could you double check that we are in a good state?
>

I think we do. We only provide SHA files for our releases.

I am not sure. We do have SHA512 files, which is ok. But we also have MD5
files, which are now "SHOULD NOT" be provided. Is it OK that we still have
them?

On Tue, Mar 6, 2018 at 10:23 AM, Dmitriy Setrakyan <[hidden email]>
wrote:

We keep MD5 files for backward compatibility

On Tue, Mar 6, 2018 at 3:50 PM, Vladimir Ozerov <[hidden email]>
wrote:



--
Sergey Kozlov
GridGain Systems
www.gridgain.com

I don't see MD5 files anywhere on the website:
https://ignite.apache.org/download.cgi

Where do we have them?

D.


On Tue, Mar 6, 2018 at 4:50 AM, Vladimir Ozerov <[hidden email]>
wrote:

http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/ignite/2.3.0/>

On Tue, Mar 6, 2018 at 8:52 PM, Petr Ivanov <[hidden email]> wrote:

> http://apache.org/dist/ignite/2.3.0/ <http://apache.org/dist/ignite/2.3.0/
> >
>

Got it. Let's get rid of MD5 in this case.

D.

Should we manually delete MD5 hash sums from current release (2.4) or release procedure modification in 2.5 will be enough?

If it's not late, I would remove it manually from 2.4 and alter the release
procedures. See a respective message from Cos:
http://apache-ignite-developers.2346864.n4.nabble.com/MD5-sums-in-the-releases-td27901.html

--
Denis

On Sun, Mar 11, 2018 at 11:00 PM, Petr Ivanov <[hidden email]> wrote: