Re: No longer supply SHA1 checksums for new releases

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 13 Aug 2018 12:20:57 +0000

Julian Foad wrote on Mon, 13 Aug 2018 12:59 +0100:
> We "SHOULD NOT" any longer publish SHA1 checksums for new releases, according to
> https://www.apache.org/dev/release-distribution#sigs-and-sums
>
> So I have done this:
>
> * remove references to SHA1 from the documentation
>
> -- http://svn.apache.org/r1837935
>

> * stop producing *.sha1 files and stop listing SHA1 on the 'downloads' page
>
> -- http://svn.apache.org/r1837939
>

I was under the impression that we should keep producing *.sha1 files
for 1.9 and 1.10 releases, for compatibility reasons. The "SHOULD NOT"
language in the policy was specifically intended to allow this sort of
compatibility.

To be clear, I'm suggesting that we only drop sha1 checksums for 1.11.0-alpha1
and newer. WDYT?

> * remove SHA1 listings from the 'downloads' web page for current releases
>
> -- http://svn.apache.org/r1837938
>

> Thanks to Paul Hammant for mentioning this policy to me.

Thank you for doing the legwork.

Cheers,

Daniel
Received on 2018-08-13 14:21:07 CEST

This message: [ Message body ]
Next message: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
Previous message: Julian Foad: "No longer supply SHA1 checksums for new releases"
In reply to: Julian Foad: "No longer supply SHA1 checksums for new releases"
Next in thread: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"
Reply: Julian Foad: "Re: No longer supply SHA1 checksums for new releases"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]