Greg, the proposal is for the _Default ASF POM_ to be set up so that _all_ projects would use SHA-512. This is not a question for the Maven PMC.
On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tras...@stratuscom.com> wrote: > > Hi Christopher: > > Thanks for your involvement. Apache Maven is one of many projects at the > Apache Software Foundation. Each project has its own mailing lists. So your > discussion should probably go to d...@maven.apache.org, which I’ve cc’d on > this response. If you’re not subscribed to that list, you probably should do > that as well - check the Apache Maven web site (http://maven.apache.org) for > more info. > > Thanks again, > > Greg Trasuk > >> On May 18, 2016, at 1:45 PM, Christopher <ctubb...@apache.org> wrote: >> >> Hi all, >> >> I'm not sure a better list to get feedback on, but I wanted to bring >> attention to the proposal here: >> https://issues.apache.org/jira/browse/MPOM-118 >> >> Essentially this is a suggestion to configure the maven-gpg-plugin to sign >> using SHA512 as its digest algorithm in the ASF Parent POM, used by many >> Maven/Java-based projects within ASF. This configuration takes affect >> during software releases when this plugin is activated (typically prior to >> a release candidate vote, and staging a release in Nexus for distribution >> to Maven Central). >> >> This would only affect the hash algorithm used to generate GPG signatures >> for releases, and not any separate SHA/MD hashes published separately by >> any project, which can be weaker (SHA1, MD5) for convenience, and don't >> convey the strong authenticity statement that digital signatures provide. >> >> For background, gpg uses SHA1 by default, unless the signing key or gpg >> configuration has a preference to use another algorithm (as described on >> https://www.apache.org/dev/openpgp). >> >> This proposed configuration change wouldn't force the use of SHA512 (it >> could still be overridden by a project), but it would make it the default, >> which helps improve the security of releases in the case where release >> managers have failed to keep their configuration up-to-date with the best >> recommendations for using gpg. >> >> Thoughts? +1s? Discuss here or on the JIRA please. >> >> Thank you. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org >
