You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by bb...@apache.org on 2018/03/12 09:32:24 UTC
mesos git commit: Used SHA512 for release file checksums.
Repository: mesos
Updated Branches:
refs/heads/master d863d61b2 -> 843e5e859
Used SHA512 for release file checksums.
Apache now requires SHA checksum files instead of the previously
required MD5, see the [signing recommendations](1). This patch updates
the Mesos vote and release tooling to accommodate that change in
policy. We use SHA512 as recommended in the [Apache SHA checksum
FAQ](2).
We also fix the format of the produced digest file to be compatible
with `sha512sum` to ease automatic release verification.
[1]: http://www.apache.org/dev/release-distribution#sigs-and-sums
[2]: http://www.apache.org/dev/release-signing#sha-checksum
Review: https://reviews.apache.org/r/65905/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/843e5e85
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/843e5e85
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/843e5e85
Branch: refs/heads/master
Commit: 843e5e85939d848b0898753c9d7542ecc997135c
Parents: d863d61
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Mon Mar 12 09:55:05 2018 +0100
Committer: Benjamin Bannier <bb...@apache.org>
Committed: Mon Mar 12 09:55:05 2018 +0100
----------------------------------------------------------------------
support/release.sh | 2 +-
support/vote.sh | 19 ++++++++++++-------
2 files changed, 13 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/843e5e85/support/release.sh
----------------------------------------------------------------------
diff --git a/support/release.sh b/support/release.sh
index 3aeda92..ced765b 100755
--- a/support/release.sh
+++ b/support/release.sh
@@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}"
svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL}
echo "${GREEN}Uploading the artifacts (the distribution," \
- "signature, and MD5) to the release repo ${NORMAL}"
+ "signature, and checksum) to the release repo ${NORMAL}"
mv ${TAG} ${SVN_RELEASE_LOCAL}/${VERSION}
http://git-wip-us.apache.org/repos/asf/mesos/blob/843e5e85/support/vote.sh
----------------------------------------------------------------------
diff --git a/support/vote.sh b/support/vote.sh
index 649eebc..9a72525 100755
--- a/support/vote.sh
+++ b/support/vote.sh
@@ -33,6 +33,11 @@ if [ "$(git cat-file -t $TAG)" != "tag" ]; then
exit 1;
fi
+# Releases are signed with `sha512sum` which is installed as
+# `gsha512sum` from Homebrew's `coreutils` package.
+echo "Checking for sha512sum or gsha512sum"
+SHA512SUM=$(command -v sha512sum || command -v gsha512sum)
+
echo "${GREEN}Tagging and Voting for mesos-${VERSION} candidate ${CANDIDATE}${NORMAL}"
read -p "Hit enter to continue ... "
@@ -95,10 +100,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}"
# Sign the tarball.
gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL}
-echo "${GREEN}Creating a MD5 checksum...${NORMAL}"
+echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}"
-# Create MD5 checksum.
-gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5
+# Create SHA512 checksum.
+"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512
SVN_DEV_REPO="https://dist.apache.org/repos/dist/dev/mesos"
SVN_DEV_LOCAL="${WORK_DIR}/dev"
@@ -110,11 +115,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}"
svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL}
echo "${GREEN}Uploading the artifacts (the distribution," \
- "signature, and MD5) ...${NORMAL}"
+ "signature, and checksum) ...${NORMAL}"
RELEASE_DIRECTORY="${SVN_DEV_LOCAL}/${TAG}"
mkdir ${RELEASE_DIRECTORY}
-mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.md5 ${RELEASE_DIRECTORY}
+mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.sha512 ${RELEASE_DIRECTORY}
popd # build
popd # mesos
@@ -155,8 +160,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL}
The tag to be voted on is ${TAG}:
https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=commit;h=${TAG}
-The MD5 checksum of the tarball can be found at:
-${SVN_DEV_REPO}/${TAG}/${TARBALL}.md5
+The SHA512 checksum of the tarball can be found at:
+${SVN_DEV_REPO}/${TAG}/${TARBALL}.sha512
The signature of the tarball can be found at:
${SVN_DEV_REPO}/${TAG}/${TARBALL}.asc