Fwd: .sha Release Distribution Policy
Locked
 
|
Igniters, especially the release managers,
Please consider these changes and recommendations for the next release. Do we have any ticket that already takes this into account? — Denis > Begin forwarded message: > > From: "Henk P. Penning" <[hidden email]> > Subject: .sha Release Distribution Policy > Date: August 16, 2017 at 1:55:57 AM PDT > To: <[hidden email]> > Reply-To: [hidden email] > > Hi PMC, > > The Release Distribution Policy[1] changed regarding .sha files. > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > Old policy : > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) > > New policy : > > -- use .sha1 for a SHA-1 checksum > -- use .sha256 for a SHA-256 checksum > -- use .sha512 for a SHA-512 checksum > -- [*] .sha should contain a SHA-1 > > Why this change ? > > -- Verifying a checksum under the old policy is/was not handy. > You have to inspect the .sha to find out which algorithm > should be used ; or try them all (SHA-1, SHA256, etc). > The new scheme avoids this ambiguity. > -- The last point[*] was only added for clarity. Most of the > old, stale .sha's contain a SHA-1. The relatively new .sha's > contain a SHA-512. The expectation is that the last catagory will > disappear, when active projects adapt to the 'new' convention. > > Impact : > > -- Should be none ; many projects already use the 'new' convention. > -- Please ask your release managers to use .sha1, .sha256, .sha512 > instead of the .sha extension. > -- Please fix your build-tools if you have any. > > Piggyback : > > -- The policy requires a .md5 for every package ; > providing a .sha512 is recommended. > Since MD5 is essentially broken, it is to be expected that > in the future a .sha512 will be required. > Perhaps it is wize to start providing .sha512's > with your releases if you do not already do so. > > -- Visit http://mirror-vm.apache.org/checker/ > to check the health of your /dist/-area ; > my stuff ; any feedback is most welcome. > > Thanks ; regards, > > Henk Penning > > [1] http://www.apache.org/dev/release-distribution > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > ------------------------------------------------------------ > Henk P. Penning ; apache.org infrastructure volunteer. > [hidden email] ; http://mirror-vm.apache.org/~henkp/ |
Re: .sha Release Distribution Policy
|
|
Hi, Denis
Yes, we have a ticket that already takes this into account: https://issues.apache.org/jira/browse/IGNITE-5817 I think we can create both sha-256 and sha-512 checksums. Best regards Oleg On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <[hidden email]> wrote: > Igniters, especially the release managers, > > Please consider these changes and recommendations for the next release. Do > we have any ticket that already takes this into account? > > — > Denis > > > Begin forwarded message: > > > > From: "Henk P. Penning" <[hidden email]> > > Subject: .sha Release Distribution Policy > > Date: August 16, 2017 at 1:55:57 AM PDT > > To: <[hidden email]> > > Reply-To: [hidden email] > > > > Hi PMC, > > > > The Release Distribution Policy[1] changed regarding .sha files. > > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > > > Old policy : > > > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) > > > > New policy : > > > > -- use .sha1 for a SHA-1 checksum > > -- use .sha256 for a SHA-256 checksum > > -- use .sha512 for a SHA-512 checksum > > -- [*] .sha should contain a SHA-1 > > > > Why this change ? > > > > -- Verifying a checksum under the old policy is/was not handy. > > You have to inspect the .sha to find out which algorithm > > should be used ; or try them all (SHA-1, SHA256, etc). > > The new scheme avoids this ambiguity. > > -- The last point[*] was only added for clarity. Most of the > > old, stale .sha's contain a SHA-1. The relatively new .sha's > > contain a SHA-512. The expectation is that the last catagory will > > disappear, when active projects adapt to the 'new' convention. > > > > Impact : > > > > -- Should be none ; many projects already use the 'new' convention. > > -- Please ask your release managers to use .sha1, .sha256, .sha512 > > instead of the .sha extension. > > -- Please fix your build-tools if you have any. > > > > Piggyback : > > > > -- The policy requires a .md5 for every package ; > > providing a .sha512 is recommended. > > Since MD5 is essentially broken, it is to be expected that > > in the future a .sha512 will be required. > > Perhaps it is wize to start providing .sha512's > > with your releases if you do not already do so. > > > > -- Visit http://mirror-vm.apache.org/checker/ > > to check the health of your /dist/-area ; > > my stuff ; any feedback is most welcome. > > > > Thanks ; regards, > > > > Henk Penning > > > > [1] http://www.apache.org/dev/release-distribution > > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > ------------------------------------------------------------ > > Henk P. Penning ; apache.org infrastructure volunteer. > > [hidden email] ; http://mirror-vm.apache.org/~henkp/ > > |
Re: .sha Release Distribution Policy
|
|
Denis
Also we don't use .sha extension so we already follow that rules On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <[hidden email]> wrote: > Hi, Denis > > Yes, we have a ticket that already takes this into account: > https://issues.apache.org/jira/browse/IGNITE-5817 > I think we can create both sha-256 and sha-512 checksums. > > Best regards > Oleg > > On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <[hidden email]> wrote: > > > Igniters, especially the release managers, > > > > Please consider these changes and recommendations for the next release. > Do > > we have any ticket that already takes this into account? > > > > — > > Denis > > > > > Begin forwarded message: > > > > > > From: "Henk P. Penning" <[hidden email]> > > > Subject: .sha Release Distribution Policy > > > Date: August 16, 2017 at 1:55:57 AM PDT > > > To: <[hidden email]> > > > Reply-To: [hidden email] > > > > > > Hi PMC, > > > > > > The Release Distribution Policy[1] changed regarding .sha files. > > > See under "Cryptographic Signatures and Checksums Requirements" [2]. > > > > > > Old policy : > > > > > > -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) > > > > > > New policy : > > > > > > -- use .sha1 for a SHA-1 checksum > > > -- use .sha256 for a SHA-256 checksum > > > -- use .sha512 for a SHA-512 checksum > > > -- [*] .sha should contain a SHA-1 > > > > > > Why this change ? > > > > > > -- Verifying a checksum under the old policy is/was not handy. > > > You have to inspect the .sha to find out which algorithm > > > should be used ; or try them all (SHA-1, SHA256, etc). > > > The new scheme avoids this ambiguity. > > > -- The last point[*] was only added for clarity. Most of the > > > old, stale .sha's contain a SHA-1. The relatively new .sha's > > > contain a SHA-512. The expectation is that the last catagory > will > > > disappear, when active projects adapt to the 'new' convention. > > > > > > Impact : > > > > > > -- Should be none ; many projects already use the 'new' convention. > > > -- Please ask your release managers to use .sha1, .sha256, .sha512 > > > instead of the .sha extension. > > > -- Please fix your build-tools if you have any. > > > > > > Piggyback : > > > > > > -- The policy requires a .md5 for every package ; > > > providing a .sha512 is recommended. > > > Since MD5 is essentially broken, it is to be expected that > > > in the future a .sha512 will be required. > > > Perhaps it is wize to start providing .sha512's > > > with your releases if you do not already do so. > > > > > > -- Visit http://mirror-vm.apache.org/checker/ > > > to check the health of your /dist/-area ; > > > my stuff ; any feedback is most welcome. > > > > > > Thanks ; regards, > > > > > > Henk Penning > > > > > > [1] http://www.apache.org/dev/release-distribution > > > [2] http://www.apache.org/dev/release-distribution#sigs-and-sums > > > > > > ------------------------------------------------------------ > > > Henk P. Penning ; apache.org infrastructure volunteer. > > > [hidden email] ; http://mirror-vm.apache.org/~henkp/ > > > > > -- Sergey Kozlov GridGain Systems www.gridgain.com |
|
|
Guys,
Thanks for the confirmation and taking care of this. — Denis > On Aug 17, 2017, at 1:32 AM, Sergey Kozlov <[hidden email]> wrote: > > Denis > > Also we don't use .sha extension so we already follow that rules > > On Thu, Aug 17, 2017 at 10:57 AM, Oleg Ostanin <[hidden email]> > wrote: > >> Hi, Denis >> >> Yes, we have a ticket that already takes this into account: >> https://issues.apache.org/jira/browse/IGNITE-5817 >> I think we can create both sha-256 and sha-512 checksums. >> >> Best regards >> Oleg >> >> On Thu, Aug 17, 2017 at 1:51 AM, Denis Magda <[hidden email]> wrote: >> >>> Igniters, especially the release managers, >>> >>> Please consider these changes and recommendations for the next release. >> Do >>> we have any ticket that already takes this into account? >>> >>> — >>> Denis >>> >>>> Begin forwarded message: >>>> >>>> From: "Henk P. Penning" <[hidden email]> >>>> Subject: .sha Release Distribution Policy >>>> Date: August 16, 2017 at 1:55:57 AM PDT >>>> To: <[hidden email]> >>>> Reply-To: [hidden email] >>>> >>>> Hi PMC, >>>> >>>> The Release Distribution Policy[1] changed regarding .sha files. >>>> See under "Cryptographic Signatures and Checksums Requirements" [2]. >>>> >>>> Old policy : >>>> >>>> -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512) >>>> >>>> New policy : >>>> >>>> -- use .sha1 for a SHA-1 checksum >>>> -- use .sha256 for a SHA-256 checksum >>>> -- use .sha512 for a SHA-512 checksum >>>> -- [*] .sha should contain a SHA-1 >>>> >>>> Why this change ? >>>> >>>> -- Verifying a checksum under the old policy is/was not handy. >>>> You have to inspect the .sha to find out which algorithm >>>> should be used ; or try them all (SHA-1, SHA256, etc). >>>> The new scheme avoids this ambiguity. >>>> -- The last point[*] was only added for clarity. Most of the >>>> old, stale .sha's contain a SHA-1. The relatively new .sha's >>>> contain a SHA-512. The expectation is that the last catagory >> will >>>> disappear, when active projects adapt to the 'new' convention. >>>> >>>> Impact : >>>> >>>> -- Should be none ; many projects already use the 'new' convention. >>>> -- Please ask your release managers to use .sha1, .sha256, .sha512 >>>> instead of the .sha extension. >>>> -- Please fix your build-tools if you have any. >>>> >>>> Piggyback : >>>> >>>> -- The policy requires a .md5 for every package ; >>>> providing a .sha512 is recommended. >>>> Since MD5 is essentially broken, it is to be expected that >>>> in the future a .sha512 will be required. >>>> Perhaps it is wize to start providing .sha512's >>>> with your releases if you do not already do so. >>>> >>>> -- Visit http://mirror-vm.apache.org/checker/ >>>> to check the health of your /dist/-area ; >>>> my stuff ; any feedback is most welcome. >>>> >>>> Thanks ; regards, >>>> >>>> Henk Penning >>>> >>>> [1] http://www.apache.org/dev/release-distribution >>>> [2] http://www.apache.org/dev/release-distribution#sigs-and-sums >>>> >>>> ------------------------------------------------------------ >>>> Henk P. Penning ; apache.org infrastructure volunteer. >>>> [hidden email] ; http://mirror-vm.apache.org/~henkp/ >>> >>> >> > > > > -- > Sergey Kozlov > GridGain Systems > www.gridgain.com |
«
Return to Apache Ignite Developers - Legacy Mail Archive
|
1 view|%1 views
| Free forum by Nabble | Edit this page |