Repository: mesos
Updated Branches:
  refs/heads/1.3.x 487c41fec -> 5e8572e4b
  refs/heads/1.4.x 84c97007c -> dcd98531d
  refs/heads/1.5.x f0f1b55e0 -> 64202a178


Used SHA512 for release file checksums.

Apache now requires SHA checksum files instead of the previously
required MD5, see the [signing recommendations](1). This patch updates
the Mesos vote and release tooling to accommodate that change in
policy. We use SHA512 as recommended in the [Apache SHA checksum
FAQ](2).

We also fix the format of the produced digest file to be compatible
with `sha512sum` to ease automatic release verification.

[1]: http://www.apache.org/dev/release-distribution#sigs-and-sums
[2]: http://www.apache.org/dev/release-signing#sha-checksum

Review: https://reviews.apache.org/r/65905/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/64202a17
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/64202a17
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/64202a17

Branch: refs/heads/1.5.x
Commit: 64202a1781541c433043771872c0d66fb2909595
Parents: f0f1b55
Author: Benjamin Bannier <benjamin.bann...@mesosphere.io>
Authored: Mon Mar 12 09:55:05 2018 +0100
Committer: Benjamin Bannier <bbann...@apache.org>
Committed: Mon Mar 12 10:35:52 2018 +0100

----------------------------------------------------------------------
 support/release.sh |  2 +-
 support/vote.sh    | 19 ++++++++++++-------
 2 files changed, 13 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/64202a17/support/release.sh
----------------------------------------------------------------------
diff --git a/support/release.sh b/support/release.sh
index 3aeda92..ced765b 100755
--- a/support/release.sh
+++ b/support/release.sh
@@ -43,7 +43,7 @@ echo "${GREEN}Checking out svn release repo ...${NORMAL}"
 svn co --depth=empty ${SVN_RELEASE_REPO} ${SVN_RELEASE_LOCAL}
 
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) to the release repo ${NORMAL}"
+  "signature, and checksum) to the release repo ${NORMAL}"
 
 mv ${TAG} ${SVN_RELEASE_LOCAL}/${VERSION}
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/64202a17/support/vote.sh
----------------------------------------------------------------------
diff --git a/support/vote.sh b/support/vote.sh
index 649eebc..9a72525 100755
--- a/support/vote.sh
+++ b/support/vote.sh
@@ -33,6 +33,11 @@ if [ "$(git cat-file -t $TAG)" != "tag" ]; then
   exit 1;
 fi
 
+# Releases are signed with `sha512sum` which is installed as
+# `gsha512sum` from Homebrew's `coreutils` package.
+echo "Checking for sha512sum or gsha512sum"
+SHA512SUM=$(command -v sha512sum || command -v gsha512sum)
+
 echo "${GREEN}Tagging and Voting for mesos-${VERSION} candidate 
${CANDIDATE}${NORMAL}"
 
 read -p "Hit enter to continue ... "
@@ -95,10 +100,10 @@ echo "${GREEN}Signing the distribution ...${NORMAL}"
 # Sign the tarball.
 gpg --armor --output ${TARBALL}.asc --detach-sig ${TARBALL}
 
-echo "${GREEN}Creating a MD5 checksum...${NORMAL}"
+echo "${GREEN}Creating a SHA512 checksum ...${NORMAL}"
 
-# Create MD5 checksum.
-gpg --print-md MD5 ${TARBALL} > ${TARBALL}.md5
+# Create SHA512 checksum.
+"${SHA512SUM}" ${TARBALL} > ${TARBALL}.sha512
 
 SVN_DEV_REPO="https://dist.apache.org/repos/dist/dev/mesos";
 SVN_DEV_LOCAL="${WORK_DIR}/dev"
@@ -110,11 +115,11 @@ echo "${GREEN}Checking out svn dev repo ...${NORMAL}"
 svn co --depth=empty ${SVN_DEV_REPO} ${SVN_DEV_LOCAL}
 
 echo "${GREEN}Uploading the artifacts (the distribution," \
-  "signature, and MD5) ...${NORMAL}"
+  "signature, and checksum) ...${NORMAL}"
 
 RELEASE_DIRECTORY="${SVN_DEV_LOCAL}/${TAG}"
 mkdir ${RELEASE_DIRECTORY}
-mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.md5 ${RELEASE_DIRECTORY}
+mv ${TARBALL} ${TARBALL}.asc ${TARBALL}.sha512 ${RELEASE_DIRECTORY}
 
 popd # build
 popd # mesos
@@ -155,8 +160,8 @@ ${SVN_DEV_REPO}/${TAG}/${TARBALL}
 The tag to be voted on is ${TAG}:
 https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=commit;h=${TAG}
 
-The MD5 checksum of the tarball can be found at:
-${SVN_DEV_REPO}/${TAG}/${TARBALL}.md5
+The SHA512 checksum of the tarball can be found at:
+${SVN_DEV_REPO}/${TAG}/${TARBALL}.sha512
 
 The signature of the tarball can be found at:
 ${SVN_DEV_REPO}/${TAG}/${TARBALL}.asc

Reply via email to