Yes, that is correct. I'm referring to the ASF-wide parent pom. If I understand the situation correctly, releases of that POM are managed by the Maven PMC, but because of it's utility throughout the ASF, Hervé Boutemy had commented on MPOM-118 that it should be brought to the attention of a larger audience. This thread is the result of his observation. :)
But there is no harm done. Thanks for providing an opportunity to clarify. On Wed, May 18, 2016 at 3:26 PM Greg Trasuk <tras...@stratuscom.com> wrote: > Whoops. Sorry about that. > > Greg > > > On May 18, 2016, at 2:50 PM, Benson Margulies <bimargul...@gmail.com> > wrote: > > > > Greg, the proposal is for the _Default ASF POM_ to be set up so that > > _all_ projects would use SHA-512. This is not a question for the Maven > > PMC. > > > > On Wed, May 18, 2016 at 1:58 PM, Greg Trasuk <tras...@stratuscom.com> > wrote: > >> > >> Hi Christopher: > >> > >> Thanks for your involvement. Apache Maven is one of many projects at > the Apache Software Foundation. Each project has its own mailing lists. > So your discussion should probably go to d...@maven.apache.org, which I’ve > cc’d on this response. If you’re not subscribed to that list, you probably > should do that as well - check the Apache Maven web site ( > http://maven.apache.org) for more info. > >> > >> Thanks again, > >> > >> Greg Trasuk > >> > >>> On May 18, 2016, at 1:45 PM, Christopher <ctubb...@apache.org> wrote: > >>> > >>> Hi all, > >>> > >>> I'm not sure a better list to get feedback on, but I wanted to bring > >>> attention to the proposal here: > >>> https://issues.apache.org/jira/browse/MPOM-118 > >>> > >>> Essentially this is a suggestion to configure the maven-gpg-plugin to > sign > >>> using SHA512 as its digest algorithm in the ASF Parent POM, used by > many > >>> Maven/Java-based projects within ASF. This configuration takes affect > >>> during software releases when this plugin is activated (typically > prior to > >>> a release candidate vote, and staging a release in Nexus for > distribution > >>> to Maven Central). > >>> > >>> This would only affect the hash algorithm used to generate GPG > signatures > >>> for releases, and not any separate SHA/MD hashes published separately > by > >>> any project, which can be weaker (SHA1, MD5) for convenience, and don't > >>> convey the strong authenticity statement that digital signatures > provide. > >>> > >>> For background, gpg uses SHA1 by default, unless the signing key or gpg > >>> configuration has a preference to use another algorithm (as described > on > >>> https://www.apache.org/dev/openpgp). > >>> > >>> This proposed configuration change wouldn't force the use of SHA512 (it > >>> could still be overridden by a project), but it would make it the > default, > >>> which helps improve the security of releases in the case where release > >>> managers have failed to keep their configuration up-to-date with the > best > >>> recommendations for using gpg. > >>> > >>> Thoughts? +1s? Discuss here or on the JIRA please. > >>> > >>> Thank you. > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >> For additional commands, e-mail: dev-h...@maven.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
