Change of checksum policy in Apache

Sun, 18 Mar 2018 05:14:56 -0700 

Hi to all,
based on the checksum policy change in ASF[1] I would like to ask what you think would be the best way to go. I have summarized my thoughts on 
that...maybe you have some suggestions/supplementals etc.
Currently we have at least md5's in your release plugin repo[2] which means we should add sha1 / sha256 etc. (or maybe replace it with sha256 or sha512) to that repository...which can be done more or less easy...
The more unconvenient part is that we need to change our download template in each plugin repo which only references .md5...
For the maven core itself there are already sha256 checksums for the 3.5.3 release available but they are not used on the download page which needs to be changed... 

ToDo's:

1. Change the download page for Maven Core using sha256[3]
   Starting with 3.5.3..

2. Change all plugins in dist. repo and add sha256 checksums
   Maybe we should change that for all artifacts in the dist repository
   ( think this can be done by a script).

3. Change the maven-install/maven-deploy plugin and move checksum
   generation to maven-deploy-plugin (change artifact-transfer component
   accordingly; working on that)[4]. Change to create sha1/sha256 only.

   From my point of view it makes sense to change that with version
   3.0.0 of maven-install/maven-deploy plugin...

   For the first inital release the sha1/sha256 needed to be added
   manually to the release (need to check if this works with the
   repository manager?)

4. Summarize the changes/issues which can result from a change
   like that. Predict possible issues (If we can?)

5. Change our release procedure to create sha256/sha512(whatever
   we find usefull?) checksums and remove md5 for all components
   might be already done by 3 (If I correctly read that).

6. Change the download template in the repositories to use
   sha1/sha256 instead of md5.


Kind regards
Karl Heinz Marbaise

[1]: https://www.apache.org/dev/release-distribution.html#sigs-and-sums
[2]: https://dist.apache.org/repos/dist/release/maven/plugins/
[3]: https://issues.apache.org/jira/browse/MNGSITE-327
[4]: https://issues.apache.org/jira/browse/MNGSITE-328


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to