I will take it over.
> On 15 Jan 2021, at 12:37, Andrey Mashenkov <andrey.mashen...@gmail.com> wrote: > > I've created a ticket for the issue [1]. > Someone who fully understands the release process may pick it up. > > [1] https://issues.apache.org/jira/browse/IGNITE-13999 > > On Fri, Jan 15, 2021 at 12:01 AM Andrey Mashenkov < > andrey.mashen...@gmail.com> wrote: > >> Val, I didn't found the way to make a local deploy. So I just make >> 'install'. >> >> Yes you are right, only source jar is signed. >> Seems, we need to configure checksum plugin for signing binary jars as it >> is done in Maven-parent or any other project. >> >> чт, 14 янв. 2021 г., 23:14 Valentin Kulichenko < >> valentin.kuliche...@gmail.com>: >> >>> Andrey, >>> >>> Did you try on the 2.x or 3.x? >>> >>> I've just tried to do the same in ignite-3, but it didn't work for me. >>> I've >>> updated the parent pom version to 23 and ran "mvn clean deploy >>> -Papache-release". The source package is now signed with SHA512, which is >>> good, but there was no effect on the JAR artifacts. As a matter of fact, I >>> don't see any checksum files for them. My guess is that by default they >>> are >>> generated by the deploy plugin, during the upload to Maven. Here is the >>> resulting staging (still MD5 and SHA1): >>> https://repository.apache.org/content/repositories/orgapacheignite-1505/ >>> >>> Does it behave in the same way for you? >>> >>> -Val >>> >>> On Thu, Jan 14, 2021 at 3:30 AM Andrey Mashenkov < >>> andrey.mashen...@gmail.com> >>> wrote: >>> >>>> I've made "mvn clean install" with enabled "apache-release" profile and >>> see >>>> *.sha-512 checksum files in target directories. >>>> So, upgrading to the latest apache parent looks sufficient. >>>> >>>> >>>> On Thu, Jan 14, 2021 at 12:30 PM Petr Ivanov <mr.wei...@gmail.com> >>> wrote: >>>> >>>>> Is seems that parent is already updated in >>>>> https://issues.apache.org/jira/browse/IGNITE-13987 < >>>>> https://issues.apache.org/jira/browse/IGNITE-13987> >>>>> >>>>> >>>>> >>>>>> On 14 Jan 2021, at 01:57, Valentin Kulichenko < >>>>> valentin.kuliche...@gmail.com> wrote: >>>>>> >>>>>> Andrey, >>>>>> >>>>>> This sounds even better. Can you create a ticket for this change? >>>>>> >>>>>> -Val >>>>>> >>>>>> On Wed, Jan 13, 2021 at 2:34 PM Andrey Mashenkov < >>>>> andrey.mashen...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Val, >>>>>>> >>>>>>> I've just found Maven projects use SHA-512. >>>>>>> I passed through commits and found they just switched to newer >>> parent >>>>>>> org.apache:apache pom. >>>>>>> I've compared our current parent pom with the latest available one >>>>>>> (org.apache:apache:16 vs org.apache:apache:23) >>>>>>> and then found checksum-maven-plugin was added [1] somewhen in >>>> between. >>>>>>> >>>>>>> So, seems we have to switched to newer apache pom and maybe add >>>>>>> checksum-maven-plugin >>>>>>> to our main pom. >>>>>>> >>>>>>> [1] >>>>>>> >>>>>>> >>>>> >>>> >>> https://github.com/apache/maven-apache-parent/commit/a46aa52b4b56d9b7aa62e1b8cbea5ff0af434a >>>>>>> >>>>>>> On Wed, Jan 13, 2021 at 10:41 PM Valentin Kulichenko < >>>>>>> valentin.kuliche...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Andrey, >>>>>>>> >>>>>>>> This indeed sounds like the cleanest way. I don't know how much >>>> effort >>>>>>> that >>>>>>>> would be though. >>>>>>>> >>>>>>>> -Val >>>>>>>> >>>>>>>> On Wed, Jan 13, 2021 at 11:01 AM Andrey Mashenkov < >>>>>>>> andrey.mashen...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Maybe, we could donate to maven plugin possibility to switch to >>>>>>> SHA-512. >>>>>>>>> Hopefully, a new plugin version will be released before we have >>> any >>>>>>>> release >>>>>>>>> candidate. >>>>>>>>> >>>>>>>>> Is it looks like a big deal? >>>>>>>>> >>>>>>>>> ср, 13 янв. 2021 г., 21:32 Valentin Kulichenko < >>>>>>>>> valentin.kuliche...@gmail.com>: >>>>>>>>> >>>>>>>>>> Hi Ivan, >>>>>>>>>> >>>>>>>>>> No, I haven't found a way yet. SHA1 still works, but I believe >>> we >>>>>>>> should >>>>>>>>>> consider using better options in future releases. >>>>>>>>>> >>>>>>>>>> Do you have any ideas on how to implement this? >>>>>>>>>> >>>>>>>>>> -Val >>>>>>>>>> >>>>>>>>>> On Wed, Jan 13, 2021 at 8:21 AM Ivan Pavlukhin < >>>> vololo...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Folks, >>>>>>>>>>> >>>>>>>>>>> Were you able to resolve this? >>>>>>>>>>> >>>>>>>>>>> 2020-12-28 22:15 GMT+03:00, Valentin Kulichenko < >>>>>>>>>>> valentin.kuliche...@gmail.com>: >>>>>>>>>>>> Hi Ivan, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for your response. I've looked into the PGP plugin, and >>>>>>>>>>>> unfortunately it looks like it only can create signatures, but >>>>>>> not >>>>>>>>>>>> checksums. >>>>>>>>>>>> >>>>>>>>>>>> -Val >>>>>>>>>>>> >>>>>>>>>>>> On Sun, Dec 27, 2020 at 11:54 PM Ivan Bessonov < >>>>>>>>> bessonov...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> I've never done this before, but it seems like we need >>>>>>>>>> maven-gpg-plugin >>>>>>>>>>>>> for >>>>>>>>>>>>> it [1]. >>>>>>>>>>>>> >>>>>>>>>>>>> Algorithm configuration would look like this: >>>>>>>>>>>>> <gpgArguments> >>>>>>>>>>>>> <arg>--digest-algo=SHA512</arg> >>>>>>>>>>>>> </gpgArguments> >>>>>>>>>>>>> >>>>>>>>>>>>> Maybe this will help. >>>>>>>>>>>>> >>>>>>>>>>>>> [1] >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >>> http://maven.apache.org/plugins-archives/maven-gpg-plugin-LATEST/sign-mojo.html >>>>>>>>>>>>> >>>>>>>>>>>>> пн, 28 дек. 2020 г. в 01:25, Valentin Kulichenko < >>>>>>>>>>>>> valentin.kuliche...@gmail.com>: >>>>>>>>>>>>> >>>>>>>>>>>>>> Igniters, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I've been preparing the 3.0.0-alpha1 release and got >>> confused >>>>>>>>> about >>>>>>>>>>> the >>>>>>>>>>>>>> requirements for checksums in Maven deployments. The Apache >>>>>>>>>>> instruction >>>>>>>>>>>>> [1] >>>>>>>>>>>>>> states that MD5 is deprecated and SHA1 should be avoided in >>>>>>>> favor >>>>>>>>> of >>>>>>>>>>>>>> SHA-256 or SHA-512. However, it looks like we are still >>> using >>>>>>>> the >>>>>>>>>>>>> MD5/SHA1 >>>>>>>>>>>>>> combination (at least that's what the staging for 2.9.1 [2] >>>>>>>>>> contains). >>>>>>>>>>>>>> >>>>>>>>>>>>>> On top of that, I can't find an easy way to switch to >>> another >>>>>>>>>> checksum >>>>>>>>>>>>>> - >>>>>>>>>>>>>> Maven deploy plugin [3] creates MD5 and SHA1 files >>>>>>> automatically >>>>>>>>> and >>>>>>>>>>>>>> doesn't seem to have any options to tweak this behavior. >>>>>>>>>>>>>> >>>>>>>>>>>>>> That said, I have two questions: >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Are we required to use SHA512 or MD5/SHA1 is OK for >>> now? >>>>>>>>>>>>>> 2. Is there a painless way to include SHA512 in addition >>> to >>>>>>>>>>>>>> MD5/SHA1? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Can anyone shed some light on this? >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] >>> https://infra.apache.org/release-signing.html#basic-facts >>>>>>>>>>>>>> [2] >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >>> https://repository.apache.org/content/repositories/orgapacheignite-1490/org/apache/ignite/ignite-core/2.9.1/ >>>>>>>>>>>>>> [3] >>>>>>>>>>>>> >>>>>>>>> >>>> https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html >>>>>>>>>>>>>> >>>>>>>>>>>>>> -Val >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Sincerely yours, >>>>>>>>>>>>> Ivan Bessonov >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> Ivan Pavlukhin >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Best regards, >>>>>>> Andrey V. Mashenkov >>>>>>> >>>>> >>>>> >>>> >>>> -- >>>> Best regards, >>>> Andrey V. Mashenkov >>>> >>> >> > > -- > Best regards, > Andrey V. Mashenkov
