unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* [PATCH] build: use sha256sum instead of sha1sum to sign releases
@ 2017-03-02  0:44 David Bremner
  2017-03-02 15:10 ` Tomi Ollila
  0 siblings, 1 reply; 3+ messages in thread
From: David Bremner @ 2017-03-02  0:44 UTC (permalink / raw)
  To: notmuch

SHA1 is weak/broken.
---
 Makefile.global | 4 ++--
 Makefile.local  | 9 ++++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index d8f335af..7a78e9b5 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA1_FILE=$(TAR_FILE).sha1
-GPG_FILE=$(SHA1_FILE).asc
+SHA256_FILE=$(TAR_FILE).sha256
+GPG_FILE=$(SHA256_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
 
diff --git a/Makefile.local b/Makefile.local
index 3548ed96..d2ef3e08 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,12 +36,11 @@ $(TAR_FILE):
 	gzip < $(TAR_FILE).tmp > $(TAR_FILE)
 	@echo "Source is ready for release in $(TAR_FILE)"
 
-$(SHA1_FILE): $(TAR_FILE)
-	sha1sum $^ > $@
+$(SHA256_FILE): $(TAR_FILE)
+	sha256sum $^ > $@
 
-$(GPG_FILE): $(SHA1_FILE)
-	@echo "Please enter your GPG password to sign the checksum."
-	gpg --armor --sign $^ 
+$(GPG_FILE): $(SHA256_FILE)
+	gpg --armor --sign $^
 
 .PHONY: dist
 dist: $(TAR_FILE)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] build: use sha256sum instead of sha1sum to sign releases
  2017-03-02  0:44 [PATCH] build: use sha256sum instead of sha1sum to sign releases David Bremner
@ 2017-03-02 15:10 ` Tomi Ollila
  2017-03-02 21:37   ` David Bremner
  0 siblings, 1 reply; 3+ messages in thread
From: Tomi Ollila @ 2017-03-02 15:10 UTC (permalink / raw)
  To: David Bremner, notmuch

On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote:

> SHA1 is weak/broken.
> ---

I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
as a commit message.

Anyway, LGTM.

Tomi

PS: this is sha-2 256 -- that makes me wonder what will be the file suffix
for sha-3 256 (or for any other bits...)


>  Makefile.global | 4 ++--
>  Makefile.local  | 9 ++++-----
>  2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile.global b/Makefile.global
> index d8f335af..7a78e9b5 100644
> --- a/Makefile.global
> +++ b/Makefile.global
> @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
>  TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
>  ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
>  DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
> -SHA1_FILE=$(TAR_FILE).sha1
> -GPG_FILE=$(SHA1_FILE).asc
> +SHA256_FILE=$(TAR_FILE).sha256
> +GPG_FILE=$(SHA256_FILE).asc
>  
>  PV_FILE=bindings/python/notmuch/version.py
>  
> diff --git a/Makefile.local b/Makefile.local
> index 3548ed96..d2ef3e08 100644
> --- a/Makefile.local
> +++ b/Makefile.local
> @@ -36,12 +36,11 @@ $(TAR_FILE):
>  	gzip < $(TAR_FILE).tmp > $(TAR_FILE)
>  	@echo "Source is ready for release in $(TAR_FILE)"
>  
> -$(SHA1_FILE): $(TAR_FILE)
> -	sha1sum $^ > $@
> +$(SHA256_FILE): $(TAR_FILE)
> +	sha256sum $^ > $@
>  
> -$(GPG_FILE): $(SHA1_FILE)
> -	@echo "Please enter your GPG password to sign the checksum."
> -	gpg --armor --sign $^ 
> +$(GPG_FILE): $(SHA256_FILE)
> +	gpg --armor --sign $^
>  
>  .PHONY: dist
>  dist: $(TAR_FILE)
> -- 
> 2.11.0
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] build: use sha256sum instead of sha1sum to sign releases
  2017-03-02 15:10 ` Tomi Ollila
@ 2017-03-02 21:37   ` David Bremner
  0 siblings, 0 replies; 3+ messages in thread
From: David Bremner @ 2017-03-02 21:37 UTC (permalink / raw)
  To: Tomi Ollila, notmuch

Tomi Ollila <tomi.ollila@iki.fi> writes:

> On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote:
>
>> SHA1 is weak/broken.
>> ---
>
> I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
> as a commit message.
>

Sure, I don't mind; the editorializing doesn't really add much.

pushed to master

d

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-02 21:37 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-02  0:44 [PATCH] build: use sha256sum instead of sha1sum to sign releases David Bremner
2017-03-02 15:10 ` Tomi Ollila
2017-03-02 21:37   ` David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).