You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ja...@apache.org on 2018/09/26 14:05:31 UTC
lucene-solr:branch_7x: LUCENE-8493: Stop publishing insecure .sha1
files with releases
Repository: lucene-solr
Updated Branches:
refs/heads/branch_7x 1ab6b8e5d -> ecd392a08
LUCENE-8493: Stop publishing insecure .sha1 files with releases
(cherry picked from commit 03c9c04353ce1b5ace33fddd5bd99059e63ed507)
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/ecd392a0
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/ecd392a0
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/ecd392a0
Branch: refs/heads/branch_7x
Commit: ecd392a08d42975960d0cd5d5177061e6a7687f1
Parents: 1ab6b8e
Author: Jan Høydahl <ja...@apache.org>
Authored: Wed Sep 26 15:31:26 2018 +0200
Committer: Jan Høydahl <ja...@apache.org>
Committed: Wed Sep 26 15:48:54 2018 +0200
----------------------------------------------------------------------
dev-tools/scripts/prep-solr-ref-guide-rc.sh | 4 +---
dev-tools/scripts/smokeTestRelease.py | 13 ++-----------
lucene/CHANGES.txt | 2 ++
lucene/common-build.xml | 1 -
solr/solr-ref-guide/src/meta-docs/publish.adoc | 7 +++----
5 files changed, 8 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ecd392a0/dev-tools/scripts/prep-solr-ref-guide-rc.sh
----------------------------------------------------------------------
diff --git a/dev-tools/scripts/prep-solr-ref-guide-rc.sh b/dev-tools/scripts/prep-solr-ref-guide-rc.sh
index ff9985d..a7bcc3b 100755
--- a/dev-tools/scripts/prep-solr-ref-guide-rc.sh
+++ b/dev-tools/scripts/prep-solr-ref-guide-rc.sh
@@ -20,7 +20,7 @@
# Prepares an RC of the Solr Ref Guide by doing local file operations to:
# - create a directory for the RC files
# - move the PDF files into the RC directory with the appropriate name
-# - generate SHA1 and SHA512 of the PDF file
+# - generate SHA512 of the PDF file
# - GPG sign the PDF files
#
# See: https://cwiki.apache.org/confluence/display/solr/Internal+-+How+To+Publish+This+Documentation
@@ -63,7 +63,6 @@ fi
PREFIX="apache-solr-ref-guide"
DIR="$PREFIX-$VER_RC"
PDF="$PREFIX-$VER.pdf"
-SHA="$PDF.sha1"
SHA512="$PDF.sha512"
GPG="$PDF.asc"
@@ -85,7 +84,6 @@ set -x
mkdir $DIR || exit 1
mv $SRC_FILE $DIR/$PDF || exit 1
cd $DIR || exit 1
-shasum $PDF > $SHA || exit 1
shasum -a 512 $PDF > $SHA512 || exit 1
gpg $GPG_ID_ARG --armor --output $GPG --detach-sig $PDF|| exit 1
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ecd392a0/dev-tools/scripts/smokeTestRelease.py
----------------------------------------------------------------------
diff --git a/dev-tools/scripts/smokeTestRelease.py b/dev-tools/scripts/smokeTestRelease.py
index 70bea24..82f3d27 100644
--- a/dev-tools/scripts/smokeTestRelease.py
+++ b/dev-tools/scripts/smokeTestRelease.py
@@ -295,7 +295,7 @@ def checkSigs(project, urlString, version, tmpDir, isSigned, keysFile):
expectedSigs = []
if isSigned:
expectedSigs.append('asc')
- expectedSigs.extend(['sha1', 'sha512'])
+ expectedSigs.extend(['sha512'])
artifacts = []
for text, subURL in ents:
@@ -538,29 +538,20 @@ def run(command, logFile):
raise RuntimeError('command "%s" failed; see log file %s' % (command, logPath))
def verifyDigests(artifact, urlString, tmpDir):
- print(' verify sha1/sha512 digests')
- sha1Expected, t = load(urlString + '.sha1').strip().split()
- if t != '*'+artifact:
- raise RuntimeError('SHA1 %s.sha1 lists artifact %s but expected *%s' % (urlString, t, artifact))
-
+ print(' verify sha512 digest')
sha512Expected, t = load(urlString + '.sha512').strip().split()
if t != '*'+artifact:
raise RuntimeError('SHA512 %s.sha512 lists artifact %s but expected *%s' % (urlString, t, artifact))
- s = hashlib.sha1()
s512 = hashlib.sha512()
f = open('%s/%s' % (tmpDir, artifact), 'rb')
while True:
x = f.read(65536)
if len(x) == 0:
break
- s.update(x)
s512.update(x)
f.close()
- sha1Actual = s.hexdigest()
sha512Actual = s512.hexdigest()
- if sha1Actual != sha1Expected:
- raise RuntimeError('SHA1 digest mismatch for %s: expected %s but got %s' % (artifact, sha1Expected, sha1Actual))
if sha512Actual != sha512Expected:
raise RuntimeError('SHA512 digest mismatch for %s: expected %s but got %s' % (artifact, sha512Expected, sha512Actual))
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ecd392a0/lucene/CHANGES.txt
----------------------------------------------------------------------
diff --git a/lucene/CHANGES.txt b/lucene/CHANGES.txt
index 4c01ba5..615867a 100644
--- a/lucene/CHANGES.txt
+++ b/lucene/CHANGES.txt
@@ -12,6 +12,8 @@ Build
* LUCENE-8498: Deprecate LowerCaseTokenizer and CharTokenizer static methods
that take normalizer functions (Alan Woodward)
+* LUCENE-8493: Stop publishing insecure .sha1 files with releases (janhoy)
+
======================= Lucene 7.5.1 =======================
Bug Fixes:
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ecd392a0/lucene/common-build.xml
----------------------------------------------------------------------
diff --git a/lucene/common-build.xml b/lucene/common-build.xml
index 0d38822..1a6839b 100644
--- a/lucene/common-build.xml
+++ b/lucene/common-build.xml
@@ -2296,7 +2296,6 @@ ${ant.project.name}.test.dependencies=${test.classpath.list}
<attribute name="file"/>
<sequential>
<echo>Building checksums for '@{file}'</echo>
- <checksum file="@{file}" algorithm="sha1" fileext=".sha1" format="MD5SUM" forceoverwrite="yes" readbuffersize="65536"/>
<checksum file="@{file}" algorithm="SHA-512" fileext=".sha512" format="MD5SUM" forceoverwrite="yes" readbuffersize="65536"/>
</sequential>
</macrodef>
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/ecd392a0/solr/solr-ref-guide/src/meta-docs/publish.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/meta-docs/publish.adoc b/solr/solr-ref-guide/src/meta-docs/publish.adoc
index 78ef290..70112ba 100644
--- a/solr/solr-ref-guide/src/meta-docs/publish.adoc
+++ b/solr/solr-ref-guide/src/meta-docs/publish.adoc
@@ -71,7 +71,7 @@ These steps walk through checking out this directory and uploading the Guide to
IMPORTANT: The next step requires that you have already generated your GPG keys. Your GPG passphrase will be required.
[start=3]
-. Run the Prep Ref Guide script to prepare the RC. This script ensures proper naming of the PDF file, generates `.sha1`,
+. Run the Prep Ref Guide script to prepare the RC. This script ensures proper naming of the PDF file, generates
`.sha512` and `.asc` files and creates the proper RC sub-directories under `solr-ref-guide-rc`.
.. The structure of the input is: `prep-solr-ref-guide-rc.sh <path/PDFfilename> <Solrversion-RC#> GPGkey`.
.. From the `solr-ref-guide-rc` directory, it will look something like this:
@@ -83,7 +83,6 @@ $ ~/lucene-source/dev-tools/scripts/prep-solr-ref-guide-rc.sh apache-solr-ref-gu
+ mkdir apache-solr-ref-guide-7.0-RC0
+ mv apache-solr-ref-guide-7.0.pdf apache-solr-ref-guide-7.0-RC0/apache-solr-ref-guide-7.0.pdf
+ cd apache-solr-ref-guide-7.0-RC0
-+ shasum apache-solr-ref-guide-7.0.pdf
+ shasum -a 512 apache-solr-ref-guide-7.0.pdf
+ gpg -u DEADBEEF --armor --output apache-solr-ref-guide-7.0.pdf.asc --detach-sig apache-solr-ref-guide-7.0.pdf
@@ -157,7 +156,7 @@ Once at least three PMC members have voted for release (see https://www.apache.o
$ ~/lucene-source/dev-tools/scripts/publish-solr-ref-guide-rc.sh X.Y-RCZ
## Run the following commands when ready...
-svn move -m 'publishing apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.asc https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha1 https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha512 https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/
+svn move -m 'publishing apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.asc https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ/apache-solr-ref-guide-X.Y.pdf.sha512 https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/
svn rm -m 'cleaning up apache-solr-ref-guide-X.Y-RCZ' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RCZ
----
@@ -182,7 +181,7 @@ $ ~/lucene-source/dev-tools/scripts/archive-solr-ref-guide.sh X.Y
## Run the following commands when ready...
# Delete old releases
-svn rm -m 'removing archived ref guide files prior to X.Y' https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.asc https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.sha1
+svn rm -m 'removing archived ref guide files prior to X.Y' https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.asc https://dist.apache.org/repos/dist/release/lucene/solr/ref-guide/apache-solr-ref-guide-A.B.pdf.sha512
# Delete old RC files
svn rm -m 'cleaning up old RCs now that X.Y has been released' https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RC0/ https://dist.apache.org/repos/dist/dev/lucene/solr/ref-guide/apache-solr-ref-guide-X.Y-RC1/