+1 On Wed, May 18, 2016 at 7:45 PM, Christopher <ctubb...@apache.org> wrote:
> Hi all, > > I'm not sure a better list to get feedback on, but I wanted to bring > attention to the proposal here: > https://issues.apache.org/jira/browse/MPOM-118 > > Essentially this is a suggestion to configure the maven-gpg-plugin to sign > using SHA512 as its digest algorithm in the ASF Parent POM, used by many > Maven/Java-based projects within ASF. This configuration takes affect > during software releases when this plugin is activated (typically prior to > a release candidate vote, and staging a release in Nexus for distribution > to Maven Central). > > This would only affect the hash algorithm used to generate GPG signatures > for releases, and not any separate SHA/MD hashes published separately by > any project, which can be weaker (SHA1, MD5) for convenience, and don't > convey the strong authenticity statement that digital signatures provide. > > For background, gpg uses SHA1 by default, unless the signing key or gpg > configuration has a preference to use another algorithm (as described on > https://www.apache.org/dev/openpgp). > > This proposed configuration change wouldn't force the use of SHA512 (it > could still be overridden by a project), but it would make it the default, > which helps improve the security of releases in the case where release > managers have failed to keep their configuration up-to-date with the best > recommendations for using gpg. > > Thoughts? +1s? Discuss here or on the JIRA please. > > Thank you. > -- Sergio Fernández Partner Technology Manager Redlink GmbH m: +43 6602747925 e: sergio.fernan...@redlink.co w: http://redlink.co
