Le dimanche 18 mars 2018, 13:14:12 CET Karl Heinz Marbaise a écrit : > Hi to all, > > based on the checksum policy change in ASF[1] I would like to ask what > you think would be the best way to go. I have summarized my thoughts on > that...maybe you have some suggestions/supplementals etc. > > > Currently we have at least md5's in your release plugin repo[2] which > means we should add sha1 / sha256 etc. (or maybe replace it with sha256 > or sha512) to that repository...which can be done more or less easy... > > The more unconvenient part is that we need to change our download > template in each plugin repo which only references .md5... this is where the Google repo configuration to checkout everything is handy: you can then easily do update automation
> > For the maven core itself there are already sha256 checksums for the > 3.5.3 release available but they are not used on the download page which > needs to be changed... > > ToDo's: > > 1. Change the download page for Maven Core using sha256[3] > Starting with 3.5.3.. > > 2. Change all plugins in dist. repo and add sha256 checksums > Maybe we should change that for all artifacts in the dist repository > ( think this can be done by a script). you'll need to change dist-tool also, since it currently absolutely wants a .md5 > > 3. Change the maven-install/maven-deploy plugin and move checksum > generation to maven-deploy-plugin (change artifact-transfer component > accordingly; working on that)[4]. Change to create sha1/sha256 only. IMHO, there is here a mix of concerns: these plugins are not about Apache source dist policy, but about Maven repository format. It's wiser IMHO to let this for another discussion. > > From my point of view it makes sense to change that with version > 3.0.0 of maven-install/maven-deploy plugin... > > For the first inital release the sha1/sha256 needed to be added > manually to the release (need to check if this works with the > repository manager?) > > 4. Summarize the changes/issues which can result from a change > like that. Predict possible issues (If we can?) like dist-tool :) > > 5. Change our release procedure to create sha256/sha512(whatever > we find usefull?) checksums and remove md5 for all components > might be already done by 3 (If I correctly read that). > > 6. Change the download template in the repositories to use > sha1/sha256 instead of md5. > > > Kind regards > Karl Heinz Marbaise > > [1]: https://www.apache.org/dev/release-distribution.html#sigs-and-sums > [2]: https://dist.apache.org/repos/dist/release/maven/plugins/ > [3]: https://issues.apache.org/jira/browse/MNGSITE-327 > [4]: https://issues.apache.org/jira/browse/MNGSITE-328 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
