As MD5 is insecure, the GNOME 2.28 modulesets in jhbuild have been
switched to SHA256 when using Python 2.5 or newer.

NOTE: Please still fill in the md5sum attribute for old Pythoners.

This has a few implications.

1. When adding new tarballs to a jhbuild moduleset file

Make sure to add it in the following format:

  <branch module="releases/cairo-1.8.6.tar.gz" version="1.8.6"
          md5sum="4e64139ef6f668df24450f3b81dd0771" size="6616544">

The hash attribute is new and its value MUST be prefixed with "sha256:".
Jhbuild does support other hash methods (whatever Python allows), but
please only use sha256.

IMPORTANT: Make sure to still fill in the md5sum attribute. This for
people with Python 2.4 or before (our RHEL5 buildbot).

2. For people with Python 2.4 or lower

Jhbuild will only look at the hash attribute in case the md5sum wasn't
specified. This to try and ensure you'll still be able to verify the
tarballs with md5.

3. People with custom modulesets

Jhbuild will still look at the md5sum attribute in case the hash
attribute is not specified (with some special exception for Python 2.4
or lower).
Meaning: everything will work as before (file a bug if not)

4. People with an old jhbuild

After committing the sha256 modulesets I noticed a small bug how jhbuild
handled the hash attribute. In any case, please do a 'git pull --rebase'
in case you receive errors.

5. People using the release team modulesets

The tarball modulesets provided by the release team as of 2.27.5 will
only contain a SHA256 hash. When using these modulesets on Python 2.4 or
before you will get a warning about an unsupported hash method.

The release team moduleset are files such as:

devel-announce-list mailing list

Reply via email to