Greg, the proposal is for the _Default ASF POM_ to be set up so that
_all_ projects would use SHA-512. This is not a question for the Maven
PMC.

On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tras...@stratuscom.com> wrote:
>
> Hi Christopher:
>
> Thanks for your involvement.  Apache Maven is one of many projects at the 
> Apache Software Foundation.  Each project has its own mailing lists.  So your 
> discussion should probably go to d...@maven.apache.org, which I’ve cc’d on 
> this response.  If you’re not subscribed to that list, you probably should do 
> that as well - check the Apache Maven web site (http://maven.apache.org) for 
> more info.
>
> Thanks again,
>
> Greg Trasuk
>
>> On May 18, 2016, at 1:45 PM, Christopher <ctubb...@apache.org> wrote:
>>
>> Hi all,
>>
>> I'm not sure a better list to get feedback on, but I wanted to bring
>> attention to the proposal here:
>> https://issues.apache.org/jira/browse/MPOM-118
>>
>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign
>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many
>> Maven/Java-based projects within ASF. This configuration takes affect
>> during software releases when this plugin is activated (typically prior to
>> a release candidate vote, and staging a release in Nexus for distribution
>> to Maven Central).
>>
>> This would only affect the hash algorithm used to generate GPG signatures
>> for releases, and not any separate SHA/MD hashes published separately by
>> any project, which can be weaker (SHA1, MD5) for convenience, and don't
>> convey the strong authenticity statement that digital signatures provide.
>>
>> For background, gpg uses SHA1 by default, unless the signing key or gpg
>> configuration has a preference to use another algorithm (as described on
>> https://www.apache.org/dev/openpgp).
>>
>> This proposed configuration change wouldn't force the use of SHA512 (it
>> could still be overridden by a project), but it would make it the default,
>> which helps improve the security of releases in the case where release
>> managers have failed to keep their configuration up-to-date with the best
>> recommendations for using gpg.
>>
>> Thoughts? +1s? Discuss here or on the JIRA please.
>>
>> Thank you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>

Reply via email to