What is the correct forum for discussing release distribution policy? Current policy [1] states:
Every artifact distributed to the public through Apache channels MUST be accompanied by one file containing an OpenPGP compatible ASCII armored detached signature and another file containing an MD5 checksum. ... An SHA checksum SHOULD also be created. MD5 is no longer deemed secure[2]. I think we should remove it from our releases and mandate SHA256 or SHA512. Julian [1] http://www.apache.org/dev/release-distribution.html#sigs-and-sums [2] https://en.wikipedia.org/wiki/Md5sum --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
