jira-importer commented on issue #394: URL: https://github.com/apache/maven-apache-parent/issues/394#issuecomment-2771704861
**[Herve Boutemy](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=hboutemy)** commented > If the source release should only be in the dist area then it should be accompanied with a BSD style hash file for external verification and not be present on Maven Central at all. My personal question has always been: Why does it need to be on Central at all?! this one is true, but nobody understands it = the separation between rules for Apache dist area and Maven Central and in theory, yes, this difference at checksum level should be visible at format level (whatever checksum strength: old md5 and sha1, or newer sha512): Apache checksum should be BSD style (i.e. with file name) while Maven Central is raw checksum (i.e. without filename) really enforcing this difference in format would be ideal, but creates headaches: same checksum file name, but different content people who are taking time to drop .sha512 from staging directory are wasting their time for being picky: they should probably be more picky at clarifying file format on Tamas idea with Maven 3.9, technically also true: I just hate that this sha512 checksum is added on every Maven Central file, just because Aapche dist area should have it on 1 source-release (and in BSD format, if we went precise) perhaps putting the plugin in a separately skippable profile would be a way to make everyone happy (half happy because it's a compromise on all the diverging good points that were cited in this issue) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
