michael-o edited a comment on pull request #40: URL: https://github.com/apache/maven-apache-parent/pull/40#issuecomment-947437962
@ctubbsii @hboutemy @kwin There are many many issues conflated here and a lot of misunderstanding in general. I had a very lengthly talk about this in general with @cstamas recently. Disclaimer: I will not talk about signatures here. First of all, Maven repo (e.g., Central) != Apache dist area. The checksums in repo are solely for bitrot *NOTHING ELSE*. The format is basically an implementation detail of Maven Resolver, though the parsing is lenient. @kwin You maybe remember that we have talked about this. Now let's get to the reference from @kwin: There is a lot of wrong information on this page. The heading says "Checking Hashes", then it talks about checksums. Checksums are **not** the same as hashes. Throughout they completely confuse cryptographic hasing with integrity checks (checksums/bitrot). I quote: > There are lots of checksum algorithms ; we use SHA-1, SHA-256, SHA-512 and MD5. Those are **not** checksum algorithms. @ctubbsii I here do agree with you that the dist area is most designed for human consumption (or curl, etc) and **not** Maven Resolver. Therefore proper checksums are highly advised. I highly favorize BSD tags since they are default, obviously on BSD systems including macOS, OpenSSL generates them as well by default and GNU sum tools can produce and consume them with ease. Upshot: Lets discuss a proper solution for the Apache dist area for all Maven-based projects. PS: You can of course abuse a cryptographic hashing algorithm like `SHA-x` for checkums, but there are much much better alternatives like `xxHash`. I consider SHA-2 for Maven Central as mostly pointless and pure waste of CPU cycles. See also https://www.mail-archive.com/dev@maven.apache.org/msg125281.html. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
