[PATCH] use SHA-2 family hash for releases

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] use SHA-2 family hash for releases

Andreas Stieger
Hello,

After the alpha, the next release should go up with a SHA-2 family digest.

[[[
Use SHA-512 for releases

* tools/dist/release.py: generate SHA-512 digests

* tools/dist/templates/download.ezt
   tools/dist/templates/rc-release-ann.ezt
   tools/dist/templates/stable-release-ann.ezt: adjust text and variable

]]]

Andreas


sha-2-release.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] use SHA-2 family hash for releases

Andreas Stieger
On 23/02/17 21:08, Andreas Stieger wrote:
> After the alpha, the next release should go up with a SHA-2 family
> digest.

And some cleanup patches, even though this does not currently seem to be
part of the release pipeline:

sha-2-dist.patch
[[[
* tools/dist/dist.sh: also print SHA-512
]]]

sha-2-checksums-py.patch
[[[
* tools/dist/checksums.py: support SHA-512
]]]

sha-2-cleanup.patch
[[[
* tools/dist/download-release.sh: remove unused script
]]]

Andreas

sha-2-checksums-py.patch (1K) Download Attachment
sha-2-dist.patch (1K) Download Attachment
sha-2-cleanup.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] use SHA-2 family hash for releases

Daniel Shahaf-2
In reply to this post by Andreas Stieger
Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:

> +++ tools/dist/release.py (working copy)
> @@ -537,9 +537,9 @@ def roll_tarballs(args):
>  
>          shutil.move(filename, get_deploydir(args.base_dir))
>          filename = os.path.join(get_deploydir(args.base_dir), filename)
> -        m = hashlib.sha1()
> +        m = hashlib.sha512()
>          m.update(open(filename, 'r').read())
> -        open(filename + '.sha1', 'w').write(m.hexdigest())
> +        open(filename + '.sha512', 'w').write(m.hexdigest())

Should we keep generating both .sha1 and .sha512 for a transition
period?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] use SHA-2 family hash for releases

Stefan Hett-2
On 2/24/2017 6:26 AM, Daniel Shahaf wrote:

> Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:
>> +++ tools/dist/release.py (working copy)
>> @@ -537,9 +537,9 @@ def roll_tarballs(args):
>>  
>>           shutil.move(filename, get_deploydir(args.base_dir))
>>           filename = os.path.join(get_deploydir(args.base_dir), filename)
>> -        m = hashlib.sha1()
>> +        m = hashlib.sha512()
>>           m.update(open(filename, 'r').read())
>> -        open(filename + '.sha1', 'w').write(m.hexdigest())
>> +        open(filename + '.sha512', 'w').write(m.hexdigest())
> Should we keep generating both .sha1 and .sha512 for a transition
> period?
>
IMO this would make sense. At least on Windows there are still several
tools to verify file integrity which don't support SHA-512 just yet (one
example [1]). Might pose another burden for some users to verify the
package integrity (which on Windows isn't a functionality build directly
into the OS unfortunately).

[1]
https://support.microsoft.com/en-us/help/841290/availability-and-description-of-the-file-checksum-integrity-verifier-utility

--
Regards,
Stefan Hett

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] use SHA-2 family hash for releases

Andreas Stieger
Hello,

> > Should we keep generating both .sha1 and .sha512 for a transition
> > period?
> >
> IMO this would make sense. At least on Windows there are still several
> tools to verify file integrity which don't support SHA-512 just yet (one
> example [1]). Might pose another burden for some users to verify the
> package integrity (which on Windows isn't a functionality build directly
> into the OS unfortunately).

Not opposed to doing both. Just noting that after reading release.sh, it would seem that the .sha1 is primarily used to double check successful upload and publishing. User verification seems to be a secondary purpose, not least since we publish OpenPGP signatures on the full tarballs anyway.

Andreas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] use SHA-2 family hash for releases

Stefan Fuhrmann-3
In reply to this post by Daniel Shahaf-2
On 24.02.2017 06:26, Daniel Shahaf wrote:

> Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:
>> +++ tools/dist/release.py (working copy)
>> @@ -537,9 +537,9 @@ def roll_tarballs(args):
>>  
>>           shutil.move(filename, get_deploydir(args.base_dir))
>>           filename = os.path.join(get_deploydir(args.base_dir), filename)
>> -        m = hashlib.sha1()
>> +        m = hashlib.sha512()
>>           m.update(open(filename, 'r').read())
>> -        open(filename + '.sha1', 'w').write(m.hexdigest())
>> +        open(filename + '.sha512', 'w').write(m.hexdigest())
> Should we keep generating both .sha1 and .sha512 for a transition
> period?
>
Generate both. People are free to use any for their verification needs.
So, more choice - better service to the user.

-- Stefan^2.
Loading...