[jira] [Commented] (ARROW-2268) Remove MD5 checksums from release process

ASF GitHub Bot (JIRA) Fri, 09 Mar 2018 07:28:44 -0800

    [ 
https://issues.apache.org/jira/browse/ARROW-2268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16392998#comment-16392998
 ]


ASF GitHub Bot commented on ARROW-2268:
---------------------------------------

wesm closed pull request #1731: ARROW-2268: Drop usage of md5 checksums for 
source releases, verification scripts
URL: https://github.com/apache/arrow/pull/1731
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/dev/release/02-source.sh b/dev/release/02-source.sh
index 62478131d..fa1c3e3ca 100755
--- a/dev/release/02-source.sh
+++ b/dev/release/02-source.sh
@@ -97,7 +97,6 @@ ${SOURCE_DIR}/run-rat.sh ${tarball}
 
 # sign the archive
 gpg --armor --output ${tarball}.asc --detach-sig ${tarball}
-gpg --print-md MD5 ${tarball} > ${tarball}.md5
 sha1sum $tarball > ${tarball}.sha1
 sha256sum $tarball > ${tarball}.sha256
 sha512sum $tarball > ${tarball}.sha512
diff --git a/dev/release/js-source-release.sh b/dev/release/js-source-release.sh
index bf32acd05..53b31af62 100755
--- a/dev/release/js-source-release.sh
+++ b/dev/release/js-source-release.sh
@@ -78,7 +78,6 @@ ${SOURCE_DIR}/run-rat.sh ${tarball}
 
 # sign the archive
 gpg --armor --output ${tarball}.asc --detach-sig ${tarball}
-gpg --print-md MD5 ${tarball} > ${tarball}.md5
 sha1sum $tarball > ${tarball}.sha1
 sha256sum $tarball > ${tarball}.sha256
 sha512sum $tarball > ${tarball}.sha512
diff --git a/dev/release/js-verify-release-candidate.sh 
b/dev/release/js-verify-release-candidate.sh
index 5a37e10f7..039c94dec 100755
--- a/dev/release/js-verify-release-candidate.sh
+++ b/dev/release/js-verify-release-candidate.sh
@@ -54,13 +54,14 @@ fetch_archive() {
   local dist_name=$1
   download_rc_file ${dist_name}.tar.gz
   download_rc_file ${dist_name}.tar.gz.asc
-  download_rc_file ${dist_name}.tar.gz.md5
+  download_rc_file ${dist_name}.tar.gz.sha1
   download_rc_file ${dist_name}.tar.gz.sha512
   gpg --verify ${dist_name}.tar.gz.asc ${dist_name}.tar.gz
-  gpg --print-md MD5 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.md5
   if [ "$(uname)" == "Darwin" ]; then
+    shasum -a 1 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha1
     shasum -a 512 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha512
   else
+    sha1sum ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha1
     sha512sum ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha512
   fi
 }
diff --git a/dev/release/verify-release-candidate.sh 
b/dev/release/verify-release-candidate.sh
index f33211e26..cb9b01b37 100755
--- a/dev/release/verify-release-candidate.sh
+++ b/dev/release/verify-release-candidate.sh
@@ -62,13 +62,14 @@ fetch_archive() {
   local dist_name=$1
   download_rc_file ${dist_name}.tar.gz
   download_rc_file ${dist_name}.tar.gz.asc
-  download_rc_file ${dist_name}.tar.gz.md5
+  download_rc_file ${dist_name}.tar.gz.sha1
   download_rc_file ${dist_name}.tar.gz.sha512
   gpg --verify ${dist_name}.tar.gz.asc ${dist_name}.tar.gz
-  gpg --print-md MD5 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.md5
   if [ "$(uname)" == "Darwin" ]; then
+    shasum -a 1 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha1
     shasum -a 512 ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha512
   else
+    sha1sum ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha1
     sha512sum ${dist_name}.tar.gz | diff - ${dist_name}.tar.gz.sha512
   fi
 }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Remove MD5 checksums from release process
> -----------------------------------------
>
>                 Key: ARROW-2268
>                 URL: https://issues.apache.org/jira/browse/ARROW-2268
>             Project: Apache Arrow
>          Issue Type: Bug
>            Reporter: Wes McKinney
>            Assignee: Wes McKinney
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 0.9.0
>
>
> The ASF has changed its release policy for signatures and checksums to 
> contraindicate the use of MD5 checksums: 
> http://www.apache.org/dev/release-distribution#sigs-and-sums. We should 
> remove this from our various release scripts prior to the 0.9.0 release



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ARROW-2268) Remove MD5 checksums from release process

Reply via email to