Repository: aurora-packaging
Updated Branches:
refs/heads/master ec923e6c6 -> de2ad96bd
Switch packaging release checksum to sha512
For our releases we will now be using .sha512 files rather than .sha files
containing sha1 checksums. This change is triggered by a recent update of
the Apache Release Distribution Policy.
Please see this mail for details:
```
Hi PMC,
The Release Distribution Policy[1] changed regarding .sha files.
See under "Cryptographic Signatures and Checksums Requirements" [2].
Old policy :
-- use extension .sha for any SHA checksum (SHA-1, SHA-256, SHA-512)
New policy :
-- use .sha1 for a SHA-1 checksum
-- use .sha256 for a SHA-256 checksum
-- use .sha512 for a SHA-512 checksum
-- [*] .sha should contain a SHA-1
Why this change ?
-- Verifying a checksum under the old policy is/was not handy.
You have to inspect the .sha to find out which algorithm
should be used ; or try them all (SHA-1, SHA256, etc).
The new scheme avoids this ambiguity.
-- The last point[*] was only added for clarity. Most of the
old, stale .sha's contain a SHA-1. The relatively new .sha's
contain a SHA-512. The expectation is that the last catagory will
disappear, when active projects adapt to the 'new' convention.
Impact :
-- Should be none ; many projects already use the 'new' convention.
-- Please ask your release managers to use .sha1, .sha256, .sha512
instead of the .sha extension.
-- Please fix your build-tools if you have any.
Piggyback :
-- The policy requires a .md5 for every package ;
providing a .sha512 is recommended.
Since MD5 is essentially broken, it is to be expected that
in the future a .sha512 will be required.
Perhaps it is wize to start providing .sha512's
with your releases if you do not already do so.
-- Visit http://mirror-vm.apache.org/checker/
to check the health of your /dist/-area ;
my stuff ; any feedback is most welcome.
Thanks ; regards,
Henk Penning
[1] http://www.apache.org/dev/release-distribution
[2] http://www.apache.org/dev/release-distribution#sigs-and-sums
```
Reviewed at https://reviews.apache.org/r/62831/
Project: http://git-wip-us.apache.org/repos/asf/aurora-packaging/repo
Commit: http://git-wip-us.apache.org/repos/asf/aurora-packaging/commit/de2ad96b
Tree: http://git-wip-us.apache.org/repos/asf/aurora-packaging/tree/de2ad96b
Diff: http://git-wip-us.apache.org/repos/asf/aurora-packaging/diff/de2ad96b
Branch: refs/heads/master
Commit: de2ad96bde657962ef7512c260eac9e96d0edf00
Parents: ec923e6
Author: Stephan Erb <[email protected]>
Authored: Sun Oct 8 18:59:24 2017 +0200
Committer: Stephan Erb <[email protected]>
Committed: Sun Oct 8 18:59:24 2017 +0200
----------------------------------------------------------------------
build-support/release/release-candidate | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/aurora-packaging/blob/de2ad96b/build-support/release/release-candidate
----------------------------------------------------------------------
diff --git a/build-support/release/release-candidate
b/build-support/release/release-candidate
index c5aad69..adc378c 100755
--- a/build-support/release/release-candidate
+++ b/build-support/release/release-candidate
@@ -47,7 +47,7 @@ function sign_artifacts() {
# Create the checksums
gpg --print-md MD5 "${name}" > "${stage_dir}/${name}.md5"
- shasum "${name}" > "${stage_dir}/${name}.sha"
+ shasum -a 512 "${name}" > "${stage_dir}/${name}.sha512"
done
popd
}
