dwijnand
commented
7 years ago In addition when we make a release we should publicly state their checksums.
Closed adriaanm closed 3 years ago
dwijnand
commented
7 years ago In addition when we make a release we should publicly state their checksums.
SethTisue
commented
7 years ago 
adriaanm
commented
7 years ago Here are the sha256 sums for 2.12.0:
4fe80b742f31c5ec8141b04fe03acde6f8885777927943cde2f9be9fe6dab3b1 scala-2.12.0.deb
ccf0b764b912b382a2398c9583777b47163d27fd0ae3a88e59fc3b92ad1023ac scala-2.12.0.msi
e9697e5bf14194d563ada4ac0df104fe8c155677969d98824d886bf54a702d20 scala-2.12.0.rpm
42be98ff9754518fd5c9a942c94ffba2464667a5e95ed4917e4e95565c96bdfe scala-2.12.0.tgz
e6e6dadfb2c08a7da0e6095c0236a10969e057465bc283a1987a4a142ebabb42 scala-2.12.0.zip
41fb1eed6ffc68e4946f56af16e8270e0f722be7d88a64bc19fa1f861f13a0b7 scala-docs-2.12.0.tgz
4cb52f403339f961025de266adfaf75b5d4c15133bf0241f1e8ac058a6afc4c5 scala-docs-2.12.0.txz
01d90b2d7aad6c32a03552e34074710de3facebe0b1fa88f0b4eda31f04d04eb scala-docs-2.12.0.zipThis script should be updated: https://github.com/scala/scala-dist/blob/2.12.x/scripts/jobs/release/website/archives
SethTisue
commented
6 years ago the don't-overwrite part of this is probably still relevant, but the consensus on https://github.com/scala/scala-lang/issues/463 was to do gnupg signing instead of publishing checksums; that's now https://github.com/scala/scala-dist/issues/188
SethTisue
commented
3 years ago releases are now published from Travis-CI not Jenkins
The s3-plugin that handles uploading our release artifacts will overwrite, with no way currently of preventing this on the server or client. This has resulted in 2.12.0 artifacts being regenerated from the same tag by the nightly job, and due to varying timestamps, they have different content and thus shas.
We should make sure this doesn't happen by construction. For now, I've added a note to the release checklist (and, of course, disabled the release job).
Multiple implementation strategies: