Hello, Found this laying around... maybe someone who previously made releases could check it out.
Obviously we could just as well use SHA-256. What do you think? [[[ Use SHA-2 hashes for releases * tools/dist/checksums.py: also check SHA-512 digest * tools/dist/dist.sh: also generate SHA-512 digest * tools/dist/download-release.sh: remove unused script * tools/dist/release.py: switch to announcing SHA-512 digest * tools/dist/templates/download.ezt, tools/dist/templates/rc-release-ann.ezt, tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests and HTTPS urls. ]]] Andreas -- Andreas Stieger <astie...@suse.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Use SHA-2 hashes for releases * tools/dist/checksums.py: also check SHA-512 digest * tools/dist/dist.sh: also generate SHA-512 digest * tools/dist/download-release.sh: remove unused script * tools/dist/release.py: switch to announcing SHA-512 digest * tools/dist/templates/download.ezt, tools/dist/templates/rc-release-ann.ezt, tools/dist/templates/stable-release-ann.ezt: reference SHA-512 digests and HTTPS urls. Index: tools/dist/checksums.py =================================================================== --- tools/dist/checksums.py (revision 1798304) +++ tools/dist/checksums.py (working copy) @@ -19,12 +19,14 @@ # under the License. # # -# Check MD5 and SHA1 signatures of files, using md5sums and/or -# sha1sums as manifests. Replaces the 'md5sum' and 'sha1sum' commands +# Check MD5 and SHA-1 and SHA-2 signatures of files, using +# md5sums, sha1sums, and/or sha512sums as manifests +# Replaces the 'md5sum', 'sha1sum', and 'sha512sums' commands # on systems that do not have them, such as Mac OS X or Windows. # # Usage: checksums.py [manifest] -# where "os.path.basename(manifest)" is either "md5sums" or "sha1sums" +# where "os.path.basename(manifest)" is either "md5sums", "sha1sums", +# "sha512sums" # # Tested with the following Python versions: # 2.4 2.5 2.6 2.7 3.2 @@ -37,6 +39,7 @@ import sys try: from hashlib import md5 from hashlib import sha1 + from hashlib import sha512 except ImportError: from md5 import md5 from sha import sha as sha1 @@ -67,9 +70,11 @@ def main(manipath): sink = Digester(md5) elif manifest == 'sha1sums': sink = Digester(sha1) + elif manifest == 'sha512sums': + sink = Digester(sha512) else: raise ValueError('The name of the digest manifest must be ' - "'md5sums' or 'sha1sums', not '%s'" % manifest) + "'md5sums', 'sha1sums', or 'sha512sums', not '%s'" % manifest) # No 'with' statement in Python 2.4 ... stream = None Index: tools/dist/dist.sh =================================================================== --- tools/dist/dist.sh (revision 1798304) +++ tools/dist/dist.sh (working copy) @@ -369,9 +369,10 @@ sign_file() fi } -# allow md5sum and sha1sum tool names to be overridden +# allow md5sum,sha1sum, and sha512sum tool names to be overridden [ -n "$MD5SUM" ] || MD5SUM=md5sum [ -n "$SHA1SUM" ] || SHA1SUM=sha1sum +[ -n "$SHA512SUM" ] || SHA512SUM=sha512sum echo "" echo "Done:" @@ -387,6 +388,12 @@ if [ -z "$ZIP" ]; then echo "sha1sums:" $SHA1SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz" fi + type $SHA512SUM > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "" + echo "sha512sums:" + $SHA512SUM "$DISTNAME.tar.bz2" "$DISTNAME.tar.gz" + fi else ls -l "$DISTNAME.zip" sign_file $DISTNAME.zip @@ -399,4 +406,10 @@ else echo "sha1sum:" $SHA1SUM "$DISTNAME.zip" fi + type $SHA512SUM > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "" + echo "sha512sum:" + $SHA512SUM "$DISTNAME.zip" + fi fi Index: tools/dist/download-release.sh =================================================================== --- tools/dist/download-release.sh (revision 1798304) +++ tools/dist/download-release.sh (nonexistent) @@ -1,28 +0,0 @@ -#!/bin/bash -# -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# -# -BASEURL=$1 -VERSION=$2 -wget -nc $BASEURL/{{md5,sha1}sums,svn_version.h.dist,subversion{-deps,}-$VERSION.{{zip,tar.bz2}{.asc,},tar.gz.asc}} -bzip2 -dk subversion{-deps,}-$VERSION.tar.bz2 -gzip -9n subversion{-deps,}-$VERSION.tar -md5sum -c md5sums -sha1sum -c sha1sums Property changes on: tools/dist/download-release.sh ___________________________________________________________________ Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:executable ## -1 +0,0 ## -* \ No newline at end of property Index: tools/dist/release.py =================================================================== --- tools/dist/release.py (revision 1798304) +++ tools/dist/release.py (working copy) @@ -537,9 +537,9 @@ def roll_tarballs(args): shutil.move(filename, get_deploydir(args.base_dir)) filename = os.path.join(get_deploydir(args.base_dir), filename) - m = hashlib.sha1() + m = hashlib.sha512() m.update(open(filename, 'r').read()) - open(filename + '.sha1', 'w').write(m.hexdigest()) + open(filename + '.sha512', 'w').write(m.hexdigest()) shutil.move('svn_version.h.dist', get_deploydir(args.base_dir) + '/' + 'svn_version.h.dist' @@ -758,39 +758,39 @@ def write_news(args): template.generate(sys.stdout, data) -def get_sha1info(args, replace=False): - 'Return a list of sha1 info for the release' +def get_sha512info(args, replace=False): + 'Return a list of sha512 info for the release' target = get_target(args) - sha1s = glob.glob(os.path.join(target, 'subversion*-%s*.sha1' % args.version)) + sha512s = glob.glob(os.path.join(target, 'subversion*-%s*.sha512' % args.version)) class info(object): pass - sha1info = [] - for s in sha1s: + sha512info = [] + for s in sha512s: i = info() - # strip ".sha1" - fname = os.path.basename(s)[:-5] + # strip ".sha512" + fname = os.path.basename(s)[:-7] if replace: # replace the version number with the [version] reference i.filename = Version.regex.sub('[version]', fname) else: i.filename = fname - i.sha1 = open(s, 'r').read() - sha1info.append(i) + i.sha512 = open(s, 'r').read() + sha512info.append(i) - return sha1info + return sha512info def write_announcement(args): 'Write the release announcement.' - sha1info = get_sha1info(args) + sha512info = get_sha512info(args) siginfo = "\n".join(get_siginfo(args, True)) + "\n" data = { 'version' : str(args.version), - 'sha1info' : sha1info, + 'sha512info' : sha512info, 'siginfo' : siginfo, 'major-minor' : args.version.branch, 'major-minor-patch' : args.version.base, @@ -809,10 +809,10 @@ def write_announcement(args): def write_downloads(args): 'Output the download section of the website.' - sha1info = get_sha1info(args, replace=True) + sha512info = get_sha512info(args, replace=True) data = { 'version' : str(args.version), - 'fileinfo' : sha1info, + 'fileinfo' : sha512info, } template = ezt.Template(compress_whitespace = False) Index: tools/dist/templates/download.ezt =================================================================== --- tools/dist/templates/download.ezt (revision 1798304) +++ tools/dist/templates/download.ezt (working copy) @@ -2,12 +2,12 @@ <table class="centered"> <tr> <th>File</th> - <th>Checksum (SHA1)</th> + <th>Checksum (SHA-512)</th> <th>Signatures</th> </tr> [for fileinfo]<tr> <td><a href="[[]preferred]subversion/[fileinfo.filename]">[fileinfo.filename]</a></td> - <td class="checksum">[fileinfo.sha1]</td> - <td>[<a href="http://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP</a>]</td> + <td class="checksum">[fileinfo.sha512]</td> + <td>[<a href="https://www.apache.org/dist/subversion/[fileinfo.filename].asc">PGP</a>]</td> </tr>[end] </table> Index: tools/dist/templates/rc-release-ann.ezt =================================================================== --- tools/dist/templates/rc-release-ann.ezt (revision 1798304) +++ tools/dist/templates/rc-release-ann.ezt (working copy) @@ -1,17 +1,17 @@ I'm happy to announce the release of Apache Subversion [version]. Please choose the mirror closest to you by visiting: - http://subversion.apache.org/download.cgi#[anchor] + https://subversion.apache.org/download.cgi#[anchor] -The SHA1 checksums are: +The SHA-512 checksums are: -[for sha1info] [sha1info.sha1] [sha1info.filename] +[for sha512info] [sha512info.sha512] [sha512info.filename] [end] PGP Signatures are available at: - http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc - http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc - http://www.apache.org/dist/subversion/subversion-[version].zip.asc + https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc + https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc + https://www.apache.org/dist/subversion/subversion-[version].zip.asc For this release, the following people have provided PGP signatures: @@ -20,7 +20,7 @@ This is a pre-release for what will eventually bec [major-minor-patch]. It may contain known issues, a complete list of [major-minor-patch]-blocking issues can be found here: - http://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch] + https://subversion.tigris.org/issues/buglist.cgi?component=subversion&issue_status=NEW&issue_status=STARTED&issue_status=REOPENED&target_milestone=[major-minor-patch] A pre-release means the Subversion developers feel that this release is ready for widespread testing by the community. There are known issues @@ -46,11 +46,11 @@ end users please. Release notes for the [major-minor].x release series may be found at: - http://subversion.apache.org/docs/release-notes/[major-minor].html + https://subversion.apache.org/docs/release-notes/[major-minor].html You can find the list of changes between [version] and earlier versions at: - http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES + https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES Questions, comments, and bug reports to us...@subversion.apache.org. Index: tools/dist/templates/stable-release-ann.ezt =================================================================== --- tools/dist/templates/stable-release-ann.ezt (revision 1798304) +++ tools/dist/templates/stable-release-ann.ezt (working copy) @@ -1,17 +1,17 @@ I'm happy to announce the release of Apache Subversion [version]. Please choose the mirror closest to you by visiting: - http://subversion.apache.org/download.cgi#[anchor] + https://subversion.apache.org/download.cgi#[anchor] -The SHA1 checksums are: +The SHA-512 checksums are: -[for sha1info] [sha1info.sha1] [sha1info.filename] +[for sha512info] [sha512info.sha512] [sha512info.filename] [end] PGP Signatures are available at: - http://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc - http://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc - http://www.apache.org/dist/subversion/subversion-[version].zip.asc + https://www.apache.org/dist/subversion/subversion-[version].tar.bz2.asc + https://www.apache.org/dist/subversion/subversion-[version].tar.gz.asc + https://www.apache.org/dist/subversion/subversion-[version].zip.asc For this release, the following people have provided PGP signatures: @@ -18,11 +18,11 @@ For this release, the following people have provid [siginfo] Release notes for the [major-minor].x release series may be found at: - http://subversion.apache.org/docs/release-notes/[major-minor].html + https://subversion.apache.org/docs/release-notes/[major-minor].html You can find the list of changes between [version] and earlier versions at: - http://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES + https://svn.apache.org/repos/asf/subversion/tags/[version]/CHANGES Questions, comments, and bug reports to us...@subversion.apache.org.
signature.asc
Description: OpenPGP digital signature