You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@brooklyn.apache.org by GitBox <gi...@apache.org> on 2019/12/09 22:07:28 UTC

[GitHub] [brooklyn-dist] geomacy commented on a change in pull request #150: BROOKLYN-597 Remove md5/sha1 - DO NOT MERGE

geomacy commented on a change in pull request #150: BROOKLYN-597 Remove md5/sha1 - DO NOT MERGE
URL: https://github.com/apache/brooklyn-dist/pull/150#discussion_r355711838
 
 

 ##########
 File path: release/make-release-artifacts.sh
 ##########
 @@ -270,19 +270,21 @@ cp ${src_staging_dir}/brooklyn-dist/deb-packaging/target/apache-brooklyn-${curre
 ###############################################################################
 # Signatures and checksums
 
-# OSX doesn't have sha256sum, even if MacPorts md5sha1sum package is installed.
+# OSX doesn't have sha256sum, even if MacPorts package is installed.
 # Easy to fake it though.
 which sha256sum >/dev/null || alias sha256sum='shasum -a 256' && shopt -s expand_aliases
 
-( cd ${artifact_dir} &&
-    for a in *.tar.gz *.zip *.rpm *.deb; do
-        md5sum -b ${a} > ${a}.md5
-        sha1sum -b ${a} > ${a}.sha1
-        sha256sum -b ${a} > ${a}.sha256
-        gpg2 --armor --output ${a}.asc --detach-sig ${a}
-    done
+(
+  cd ${artifact_dir}
+  checksum_file="${artifact_name}-SHA256SUMS"
+
+  for a in *.tar.gz *.zip *.rpm *.deb; do
+      sha256sum -b ${a} >> ${checksum_file}
+  done
+  gpg2 --armor --output ${checksum_file}.asc --detach-sig ${checksum_file}
 
 Review comment:
   Hm. The policy text quoted in the JIRA doesn't mandate that there has to be a 1:1 correspondence between the artifact and the checksum/signature file, only that there should be a checksum and signature; I was thinking that having one file to do the job for each artifact would be ok.
   
   But you've made me look again at the policy and, lo and behold, it does mandate the 1:1 correspondence in the next paragraph: `The names of signature and checksum files MUST be formed by adding to the name of the artifact the following suffixes:` etc.
   
   So you're right, we need a sum and signature for each artifact independently.
   
   I'll revert that change and push it up again.
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services