Since SHA1/MD5 are deprecated and no longer supported by the policy[1], it 
seems like they should be removed from Nexus as a requirement, replaced instead 
by a requirement for SHA256|512

I'm not sure exactly how to go about doing this, but please open an Infra jira 
ticket and we can look into it further.

-Chris
ASF Infra

[1] https://infra.apache.org/release-distribution


> On Nov 15, 2021, at 2:55 PM, Tilmann <tilmann_...@gmx.de> wrote:
> 
> Dear all,
> 
> I hope this is the correct list to ask this, please direct me elsewhere
> if it is not.
> 
> We are trying to stage a release on Nexus. As suggested here
> <https://infra.apache.org/release-distribution> and here
> <https://infra.apache.org/publishing-maven-artifacts.html>, I removed
> the .md5 and .sha1 files for the .zip/.tar.gz files before closing the
> release.
> Note that these files are still signed with sha512.
> 
> However, when I try to close the release the process fails with an error
> saying that Apache Rules failed because there is no md5 and no sha1:
> 
> Event: Failed: Checksum Validation
> typeId    checksum-staging
> failureMessage    Required SHA-1:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.sha1'
> failureMessage    Required MD5:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.zip.md5'
> failureMessage    Required SHA-1:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.sha1'
> failureMessage    Required MD5:
> '/org/apache/jdo/3.2-RC3/jdo-3.2-RC3-source-release.tar.gz.md5'
> 
> 
> It appears that the "Apache Rules" in Nexus contradict the
> recommendations in the documentation.
> 
> Any suggestion what to do?
> - Is there a way to specify different (newer?) Apache Rules to be
> executed in Nexus?
> - Can I configure the process?
> - Should I leave sha1/md5 in the release?
> 
> Any pointers are appreciated.
> 
> In case it matters, here is our parent .pom:
> https://github.com/apache/db-jdo/blob/3.2/parent-pom/pom.xml
> 
> Thanks,
> 
> Til
> 
> 
> 

Reply via email to