Hello, Found this laying around... maybe someone who previously made releases could check it out.
Obviously we could just as well use SHA-256. What do you think? [[[ Use SHA-2 hashes for releases * tools/dist/checksums.py: also check SHA-512 digest * tools/dist/dist.sh: also generate SHA-512 digest * tools/dist/download-release.sh: remove unused script * tools/dist/release.py: switch to announcing SHA-512 digest * tools/dist/templates/download.ezt, tools/dist/templates/rc-release-ann.ezt, tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests and HTTPS urls. ]]] Andreas -- Andreas Stieger <[email protected]> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Use SHA-2 hashes for releases
* tools/dist/checksums.py: also check SHA-512 digest
* tools/dist/dist.sh: also generate SHA-512 digest
* tools/dist/download-release.sh: remove unused script
* tools/dist/release.py: switch to announcing SHA-512 digest
* tools/dist/templates/download.ezt,
tools/dist/templates/rc-release-ann.ezt,
tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests
and HTTPS urls.
Index: tools/dist/checksums.py
===================================================================
--- tools/dist/checksums.py (revision 1798304)
+++ tools/dist/checksums.py (working copy)
@@ -19,12 +19,14 @@
# under the License.
#
#
-# Check MD5 and SHA1 signatures of files, using md5sums and/or
-# sha1sums as manifests. Replaces the 'md5sum' and 'sha1sum' commands
+# Check MD5 and SHA-1 and SHA-2 signatures of files, using
+# md5sums, sha1sums, and/or sha512sums as manifests
+# Replaces the 'md5sum', 'sha1sum', and 'sha512sums' commands
# on systems that do not have them, such as Mac OS X or Windows.
#
# Usage: checksums.py [manifest]
-# where "os.path.basename(manifest)" is either "md5sums" or "sha1sums"
+# where "os.path.basename(manifest)" is either "md5sums", "sha1sums",
+# "sha512sums"
#
# Tested with the following Python versions:
# 2.4 2.5 2.6 2.7 3.2
@@ -37,6 +39,7 @@ import sys
try:
from hashlib import md5
from hashlib import sha1
+ from hashlib import sha512
except ImportError:
from md5 import md5
from sha import sha as sha1
@@ -67,9 +70,11 @@ def main(manipath):
sink = Digester(md5)
elif manifest == 'sha1sums':
sink = Digester(sha1)
+ elif manifest == 'sha512sums':
+ sink = Digester(sha512)
else:
raise ValueError('The name of the digest manifest must be '
- "'md5sums' or 'sha1sums', not '%s'" % manifest)
+ "'md5sums', 'sha1sums', or 'sha512sums', not '%s'" % manifest)
# No 'with' statement in Python 2.4 ...
stream = None
Index: tools/dist/dist.sh
===================================================================
--- tools/dist/dist.sh (revision 1798304)
+++ tools/dist/dist.sh (working copy)
@@ -369,9 +369,10 @@ sign_file()
fi
}
-# allow md5sum and sha1sum tool names to be overridden
+# allow md5sum,sha1sum, and sha512sum tool names to be overridden
[ -n "$MD5SUM" ] || MD5SUM=md5sum
[ -n "$SHA1SUM" ] || SHA1SUM=sha1sum
+[ -n "$SHA512SUM" ] || SHA512SUM=sha512sum
echo ""
echo "Done:"
@@ -387,6 +388,12 @@ if [ -z "$ZIP" ]; then
echo "sha1sums:"
$SHA1SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz"
fi
+ type $SHA512SUM > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo ""
+ echo "sha512sums:"
+ $SHA512SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz"
+ fi
else
ls -l "$DISTNAME.zip"
sign_file $DISTNAME.zip
@@ -399,4 +406,10 @@ else
echo "sha1sum:"
$SHA1SUM "$DISTNAME.zip"
fi
+ type $SHA512SUM > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ echo ""
+ echo "sha512sum:"
+ $SHA512SUM "$DISTNAME.zip"
+ fi
fi
Index: tools/dist/download-release.sh
===================================================================
--- tools/dist/download-release.sh (revision 1798304)
+++ tools/dist/download-release.sh (nonexistent)
@@ -1,28 +0,0 @@
-#!/bin/bash
-#
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-#
-BASEURL=$1
-VERSION=$2
-wget -nc $BASEURL/{{md5,sha1}sums,svn_version.h.dist,subversion{-deps,}-$VERSION.{{zip,tar.bz2}{.asc,},tar.gz.asc}}
-bzip2 -dk subversion{-deps,}-$VERSION.tar.bz2
-gzip -9n subversion{-deps,}-$VERSION.tar
-md5sum -c md5sums
-sha1sum -c sha1sums
Property changes on: tools/dist/download-release.sh
___________________________________________________________________
Deleted: svn:eol-style
## -1 +0,0 ##
-native
\ No newline at end of property
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Index: tools/dist/release.py
===================================================================
--- tools/dist/release.py (revision 1798304)
+++ tools/dist/release.py (working copy)
@@ -537,9 +537,9 @@ def roll_tarballs(args):
shutil.move(filename, get_deploydir(args.base_dir))
filename = os.path.join(get_deploydir(args.base_dir), filename)
- m = hashlib.sha1()
+ m = hashlib.sha512()
m.update(open(filename, 'r').read())
- open(filename + '.sha1', 'w').write(m.hexdigest())
+ open(filename + '.sha512', 'w').write(m.hexdigest())
shutil.move('svn_version.h.dist',
get_deploydir(args.base_dir) + '/' + 'svn_version.h.dist'
@@ -758,39 +758,39 @@ def write_news(args):
template.generate(sys.stdout, data)
-def get_sha1info(args, replace=False):
- 'Return a list of sha1 info for the release'
+def get_sha512info(args, replace=False):
+ 'Return a list of sha512 info for the release'
target = get_target(args)
- sha1s = glob.glob(os.path.join(target, 'subversion*-%s*.sha1' % args.version))
+ sha512s = glob.glob(os.path.join(target, 'subversion*-%s*.sha512' % args.version))
class info(object):
pass
- sha1info = []
- for s in sha1s:
+ sha512info = []
+ for s in sha512s:
i = info()
- # strip ".sha1"
- fname = os.path.basename(s)[:-5]
+ # strip ".sha512"
+ fname = os.path.basename(s)[:-7]
if replace:
# replace the version number with the [version] reference
i.filename = Version.regex.sub('[version]', fname)
else:
i.filename = fname
- i.sha1 = open(s, 'r').read()
- sha1info.append(i)
+ i.sha512 = open(s, 'r').read()
+ sha512info.append(i)
- return sha1info
+ return sha512info
def write_announcement(args):
'Write the release announcement.'
- sha1info = get_sha1info(args)
+ sha512info = get_sha512info(args)
siginfo = "\n".join(get_siginfo(args, True)) + "\n"
data = { 'version' : str(args.version),
- 'sha1info' : sha1info,
+ 'sha512info' : sha512info,
'siginfo' : siginfo,
'major-minor' : args.version.branch,
'major-minor-patch' : args.version.base,
@@ -809,10 +809,10 @@ def write_announcement(args):
def write_downloads(args):
'Output the download section of the website.'
- sha1info = get_sha1info(args, replace=True)
+ sha512info = get_sha512info(args, replace=True)
data = { 'version' : str(args.version),
- 'fileinfo' : sha1info,
+ 'fileinfo' : sha512info,
}
template = ezt.Template(compress_whitespace = False)
Index: tools/dist/templates/download.ezt
===================================================================
--- tools/dist/templates/download.ezt (revision 1798304)
+++ tools/dist/templates/download.ezt (working copy)
@@ -2,12 +2,12 @@
<table class="centered">
<tr>
<th>File</th>
- <th>Checksum (SHA1)</th>
+ <th>Checksum (SHA-512)</th>
<th>Signatures</th>
</tr>
[for fileinfo]<tr>
<td><a href="[[]preferred]subversion/[fileinfo.filename]">[fileinfo.filename]</a></td>
- <td class="checksum">[fileinfo.sha1]</td>
- <td>[<a href="http://www.apache.org/dist/subversion/[fileinfo.filename].asc";>PGP</a>]</td>
+ <td class="checksum">[fileinfo.sha512]</td>
+ <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc";>PGP</a>]</td>
</tr>[end]
</table>
Index: tools/dist/templates/rc-release-ann.ezt
===================================================================
--- tools/dist/templates/rc-release-ann.ezt (revision 1798304)
+++ tools/dist/templates/rc-release-ann.ezt (working copy)
@@ -1,17 +1,17 @@
I'm happy to announce the release of Apache Subversion [version].
Please choose the mirror closest to you by visiting:
- http://subversion.apache.org/download.cgi#[anchor]
+ https://subversion.apache.org/download.cgi#[anchor]
-The SHA1 checksums are:
+The SHA-512 checksums are:
-[for sha1info] [sha1info.sha1] [sha1info.filename]
+[for sha512info] [sha512info.sha512] [sha512info.filename]
[end]
PGP Signatures are available at:
- http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
- http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
- http://www.apache.org/dist/subversion/subversion-[version].zip.asc
+ https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
+ https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
+ https://www.apache.org/dist/subversion/subversion-[version].zip.asc
For this release, the following people have provided PGP signatures:
@@ -20,7 +20,7 @@ This is a pre-release for what will eventually bec
[major-minor-patch]. It may contain known issues, a complete list of
[major-minor-patch]-blocking issues can be found here:
- http://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch]
+ https://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch]
A pre-release means the Subversion developers feel that this release
is ready for widespread testing by the community. There are known issues
@@ -46,11 +46,11 @@ end users please.
Release notes for the [major-minor].x release series may be found at:
- http://subversion.apache.org/docs/release-notes/[major-minor].html
+ https://subversion.apache.org/docs/release-notes/[major-minor].html
You can find the list of changes between [version] and earlier versions at:
- http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
+ https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
Questions, comments, and bug reports to [email protected].
Index: tools/dist/templates/stable-release-ann.ezt
===================================================================
--- tools/dist/templates/stable-release-ann.ezt (revision 1798304)
+++ tools/dist/templates/stable-release-ann.ezt (working copy)
@@ -1,17 +1,17 @@
I'm happy to announce the release of Apache Subversion [version].
Please choose the mirror closest to you by visiting:
- http://subversion.apache.org/download.cgi#[anchor]
+ https://subversion.apache.org/download.cgi#[anchor]
-The SHA1 checksums are:
+The SHA-512 checksums are:
-[for sha1info] [sha1info.sha1] [sha1info.filename]
+[for sha512info] [sha512info.sha512] [sha512info.filename]
[end]
PGP Signatures are available at:
- http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
- http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
- http://www.apache.org/dist/subversion/subversion-[version].zip.asc
+ https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc
+ https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc
+ https://www.apache.org/dist/subversion/subversion-[version].zip.asc
For this release, the following people have provided PGP signatures:
@@ -18,11 +18,11 @@ For this release, the following people have provid
[siginfo]
Release notes for the [major-minor].x release series may be found at:
- http://subversion.apache.org/docs/release-notes/[major-minor].html
+ https://subversion.apache.org/docs/release-notes/[major-minor].html
You can find the list of changes between [version] and earlier versions at:
- http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
+ https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES
Questions, comments, and bug reports to [email protected].
signature.asc
Description: OpenPGP digital signature
