I usually include sha512 hashes in my release emails, but I try to remain
overly paranoid about cryptography. As for whether or not sha1 is still
useful for cryptographic signatures, the hash itself is encrypted in a
signature, so you still need access to the private key to create the
signature in
I think the hashes are important in the vote email as there can often
be multiple release candidates (locally or announced on dev@) -- and
it is not impossible to get it wrong as the files are all called the
same. While hashes can be used to detect malicious tampering, it's
more useful to detect ac
The .asc files should be used for verification. I don't even see the point
of adding md5 hashes anymore. Most software repositories rely on gpg
signatures instead nowadays.
On 4 December 2016 at 07:44, sebb wrote:
> The hashes are not intended for authentication, only for checking that
> the dow
The hashes are not intended for authentication, only for checking that
the download works OK.
So the strength of the algorithm is not relevant here.
On 3 December 2016 at 20:02, Gary Gregory wrote:
> Well, getting SHA-1 hashes is not awesome either, we really need a plugin
> updated to use SHA-2/
Well, getting SHA-1 hashes is not awesome either, we really need a plugin
updated to use SHA-2/SHA-256
Gary
On Sat, Dec 3, 2016 at 11:57 AM, Matt Sicker wrote:
> The source jar does just include the .java/.scala/etc. files along with
> anything in src/main/resources/ (and anything else configur
I am not mentioning SHA-3 but you get my point.
Gary
On Sat, Dec 3, 2016 at 12:02 PM, Gary Gregory
wrote:
> Well, getting SHA-1 hashes is not awesome either, we really need a plugin
> updated to use SHA-2/SHA-256
>
> Gary
>
> On Sat, Dec 3, 2016 at 11:57 AM, Matt Sicker wrote:
>
>> The source
The source jar does just include the .java/.scala/etc. files along with
anything in src/main/resources/ (and anything else configured, though this
is the default). I think that a source jar is required for distribution on
maven central. Besides making releases on the /dist/ svn repo, there's
reposi
On Dec 3, 2016 9:34 AM, "Charles Honton" wrote:
>
> To follow up the thread on releasing parent 42 and exactly what needs to
signed, etc. I’ve researched asf release policy. Here’s the gist:
>
> 1. Every ASF release must contain a source package, which must be
sufficient for a user to build and
To follow up the thread on releasing parent 42 and exactly what needs to
signed, etc. I’ve researched asf release policy. Here’s the gist:
1. Every ASF release must contain a source package, which must be sufficient
for a user to build and test the release provided they have access to the
app
