You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aurora.apache.org by se...@apache.org on 2017/10/08 16:41:50 UTC
aurora git commit: Switch release checksum to sha512

Repository: aurora
Updated Branches:
  refs/heads/master 0f1e68401 -> e0b6953ec


Switch release checksum to sha512

For our releases we will now be using .sha512 files rather than .sha files
containing sha1 checksums. This change is triggered by a recent update of
the Apache Release Distribution Policy.

Please see this mail for details:

```
Hi PMC,

    The Release Distribution Policy[1] changed regarding .sha files.
    See under "Cryptographic Signatures and Checksums Requirements" [2].

   Old policy :

     -- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)

   New policy :

      -- use .sha1 for a SHA-1 checksum
      -- use .sha256 for a SHA-256 checksum
      -- use .sha512 for a SHA-512 checksum
      -- [*] .sha should contain a SHA-1

   Why this change ?

      -- Verifying a checksum under the old policy is/was not handy.
         You have to inspect the .sha to find out which algorithm
         should be used ; or try them all (SHA-1, SHA256, etc).
         The new scheme avoids this ambiguity.
      -- The last point[*] was only added for clarity. Most of the
         old, stale .sha's contain a SHA-1. The relatively new .sha's
         contain a SHA-512. The expectation is that the last catagory will
         disappear, when active projects adapt to the 'new' convention.

   Impact :

      -- Should be none ; many projects already use the 'new' convention.
      -- Please ask your release managers to use .sha1, .sha256, .sha512
         instead of the .sha extension.
      -- Please fix your build-tools if you have any.

   Piggyback :

      -- The policy requires a .md5 for every package ;
         providing a .sha512 is recommended.
         Since MD5 is essentially broken, it is to be expected that
         in the future a .sha512 will be required.
         Perhaps it is wize to start providing .sha512's
         with your releases if you do not already do so.

      -- Visit http://mirror-vm.apache.org/checker/
         to check the health of your /dist/-area ;
         my stuff ; any feedback is most welcome.

   Thanks ; regards,

   Henk Penning

    [1] http://www.apache.org/dev/release-distribution
    [2] http://www.apache.org/dev/release-distribution#sigs-and-sums
```

Reviewed at https://reviews.apache.org/r/62830/


Project: http://git-wip-us.apache.org/repos/asf/aurora/repo
Commit: http://git-wip-us.apache.org/repos/asf/aurora/commit/e0b6953e
Tree: http://git-wip-us.apache.org/repos/asf/aurora/tree/e0b6953e
Diff: http://git-wip-us.apache.org/repos/asf/aurora/diff/e0b6953e

Branch: refs/heads/master
Commit: e0b6953ec33609486ee46cc9a95aff131be6a8ad
Parents: 0f1e684
Author: Stephan Erb <se...@apache.org>
Authored: Sun Oct 8 18:41:35 2017 +0200
Committer: Stephan Erb <se...@apache.org>
Committed: Sun Oct 8 18:41:35 2017 +0200

----------------------------------------------------------------------
 build-support/release/release                  | 2 +-
 build-support/release/release-candidate        | 2 +-
 build-support/release/verify-release-candidate | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/aurora/blob/e0b6953e/build-support/release/release
----------------------------------------------------------------------
diff --git a/build-support/release/release b/build-support/release/release
index ff7ee71..86bcbe4 100755
--- a/build-support/release/release
+++ b/build-support/release/release
@@ -194,7 +194,7 @@ gpg --armor --output ${dist_name}.tar.gz.asc --detach-sig ${dist_name}.tar.gz
 # Create the checksums
 echo "Creating checksums"
 gpg --print-md MD5 ${dist_name}.tar.gz > ${dist_name}.tar.gz.md5
-shasum ${dist_name}.tar.gz > ${dist_name}.tar.gz.sha
+shasum -a 512 ${dist_name}.tar.gz > ${dist_name}.tar.gz.sha512
 
 if [[ $publish == 1 ]]; then
   # Commit the release

http://git-wip-us.apache.org/repos/asf/aurora/blob/e0b6953e/build-support/release/release-candidate
----------------------------------------------------------------------
diff --git a/build-support/release/release-candidate b/build-support/release/release-candidate
index bab92bb..1a03d5e 100755
--- a/build-support/release/release-candidate
+++ b/build-support/release/release-candidate
@@ -215,7 +215,7 @@ pushd ${dist_dir}
   # Create the checksums
   echo "Creating checksums"
   gpg --print-md MD5 ${dist_name}.tar.gz > ${dist_name}.tar.gz.md5
-  shasum ${dist_name}.tar.gz > ${dist_name}.tar.gz.sha
+  shasum -a 512 ${dist_name}.tar.gz > ${dist_name}.tar.gz.sha512
 popd
 
 aurora_svn_rc_url="${aurora_svn_dist_url}/${rc_version}"

http://git-wip-us.apache.org/repos/asf/aurora/blob/e0b6953e/build-support/release/verify-release-candidate
----------------------------------------------------------------------
diff --git a/build-support/release/verify-release-candidate b/build-support/release/verify-release-candidate
index 3b9beee..dcd8114 100755
--- a/build-support/release/verify-release-candidate
+++ b/build-support/release/verify-release-candidate
@@ -41,10 +41,10 @@ fetch_archive() {
   download_rc_file ${dist_name}.tar.gz
   download_rc_file ${dist_name}.tar.gz.asc
   download_rc_file ${dist_name}.tar.gz.md5
-  download_rc_file ${dist_name}.tar.gz.sha
+  download_rc_file ${dist_name}.tar.gz.sha512
   gpg --verify ${dist_name}.tar.gz.asc ${dist_name}.tar.gz
   gpg --print-md MD5 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.md5
-  shasum ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha
+  shasum -a 512 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha512
 }
 
 install_gradle_wrapper() {