Whoops. Sorry about that. Greg
> On May 18, 2016, at 2:50 PM, Benson Margulies <bimargul...@gmail.com> wrote: > > Greg, the proposal is for the _Default ASF POM_ to be set up so that > _all_ projects would use SHA-512. This is not a question for the Maven > PMC. > > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tras...@stratuscom.com> wrote: >> >> Hi Christopher: >> >> Thanks for your involvement. Apache Maven is one of many projects at the >> Apache Software Foundation. Each project has its own mailing lists. So >> your discussion should probably go to d...@maven.apache.org, which I’ve cc’d >> on this response. If you’re not subscribed to that list, you probably >> should do that as well - check the Apache Maven web site >> (http://maven.apache.org) for more info. >> >> Thanks again, >> >> Greg Trasuk >> >>> On May 18, 2016, at 1:45 PM, Christopher <ctubb...@apache.org> wrote: >>> >>> Hi all, >>> >>> I'm not sure a better list to get feedback on, but I wanted to bring >>> attention to the proposal here: >>> https://issues.apache.org/jira/browse/MPOM-118 >>> >>> Essentially this is a suggestion to configure the maven-gpg-plugin to sign >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by many >>> Maven/Java-based projects within ASF. This configuration takes affect >>> during software releases when this plugin is activated (typically prior to >>> a release candidate vote, and staging a release in Nexus for distribution >>> to Maven Central). >>> >>> This would only affect the hash algorithm used to generate GPG signatures >>> for releases, and not any separate SHA/MD hashes published separately by >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't >>> convey the strong authenticity statement that digital signatures provide. >>> >>> For background, gpg uses SHA1 by default, unless the signing key or gpg >>> configuration has a preference to use another algorithm (as described on >>> https://www.apache.org/dev/openpgp). >>> >>> This proposed configuration change wouldn't force the use of SHA512 (it >>> could still be overridden by a project), but it would make it the default, >>> which helps improve the security of releases in the case where release >>> managers have failed to keep their configuration up-to-date with the best >>> recommendations for using gpg. >>> >>> Thoughts? +1s? Discuss here or on the JIRA please. >>> >>> Thank you. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org >
