[GitHub] [brooklyn-dist] geomacy commented on a change in pull request #150: BROOKLYN-597 Remove md5/sha1 - DO NOT MERGE

Mon, 09 Dec 2019 14:08:33 -0800 

geomacy commented on a change in pull request #150: BROOKLYN-597 Remove 
md5/sha1 - DO NOT MERGE
URL: https://github.com/apache/brooklyn-dist/pull/150#discussion_r355711838
 
 

 ##########
 File path: release/make-release-artifacts.sh
 ##########
 @@ -270,19 +270,21 @@ cp 
${src_staging_dir}/brooklyn-dist/deb-packaging/target/apache-brooklyn-${curre
 ###############################################################################
 # Signatures and checksums
 
-# OSX doesn't have sha256sum, even if MacPorts md5sha1sum package is installed.
+# OSX doesn't have sha256sum, even if MacPorts package is installed.
 # Easy to fake it though.
 which sha256sum >/dev/null || alias sha256sum='shasum -a 256' && shopt -s 
expand_aliases
 
-( cd ${artifact_dir} &&
-    for a in *.tar.gz *.zip *.rpm *.deb; do
-        md5sum -b ${a} > ${a}.md5
-        sha1sum -b ${a} > ${a}.sha1
-        sha256sum -b ${a} > ${a}.sha256
-        gpg2 --armor --output ${a}.asc --detach-sig ${a}
-    done
+(
+  cd ${artifact_dir}
+  checksum_file="${artifact_name}-SHA256SUMS"
+
+  for a in *.tar.gz *.zip *.rpm *.deb; do
+      sha256sum -b ${a} >> ${checksum_file}
+  done
+  gpg2 --armor --output ${checksum_file}.asc --detach-sig ${checksum_file}
 
 Review comment:
   Hm. The policy text quoted in the JIRA doesn't mandate that there has to be 
a 1:1 correspondence between the artifact and the checksum/signature file, only 
that there should be a checksum and signature; I was thinking that having one 
file to do the job for each artifact would be ok.
   
   But you've made me look again at the policy and, lo and behold, it does 
mandate the 1:1 correspondence in the next paragraph: `The names of signature 
and checksum files MUST be formed by adding to the name of the artifact the 
following suffixes:` etc.
   
   So you're right, we need a sum and signature for each artifact independently.
   
   I'll revert that change and push it up again.
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to