On Fri, Jul 17, 2015 at 02:51PM, Marvin Humphrey wrote: > Hi Cos, > > Thanks for providing a thoughtfully documented review. > > On Fri, Jul 17, 2015 at 2:24 PM, Konstantin Boudnik <c...@apache.org> wrote: > > +1 (binding) > > > Please consider fixing in the next release: > > - sha checksum is formatted in a way that makes automatic validation (with > > sha512sum -c ) impossible. Also, it'd be better to make sha512 suffix for > > the checksum file. sha is too ambiguous. > > - md5sum file is pretty much useless considering its weak security > > properties. Perhaps makes sense to get rid of it? > > As of a few months ago, requirements regarding cryptographic sums and > signatures have been codified in a section of the Release Distribution > Policy, curated by VP Infrastructure. > > http://www.apache.org/dev/release-distribution#sigs-and-sums > > If you wanted to make a proposal regarding removal of MD5 checksums, > infrastructure-dev@apache is the place to go.
Ah... I've missed that part. Taking back md5sum comment.
Thanks!
Cos
> The format required by sha512sum is a bit of a pain to produce on
> systems where sha512sum itself is not available. For a Mac, or any
> other system where Perl is present, something like this will work:
>
> perl -MDigest -e '$d = Digest->new("MD5"); open $fh, \
> "<", "apache-foo-1.2.3.tar.gz" or die; $d->addfile($fh); \
> print $d->hexdigest; print " apache-foo-1.2.3.tar.gz\n"' \
> > apache-foo-1.2.3.tar.gz.md5
>
> I'm sure there are other hack invocations possible with other tools.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>
signature.asc
Description: Digital signature
