From: Tomi Ollila <tomi.ollila@iki.fi>
To: David Bremner <david@tethera.net>, notmuch@notmuchmail.org
Subject: Re: [PATCH] build: use sha256sum instead of sha1sum to sign releases
Date: Thu, 02 Mar 2017 17:10:46 +0200 [thread overview]
Message-ID: <m2efyfyart.fsf@guru.guru-group.fi> (raw)
In-Reply-To: <20170302004447.26232-1-david@tethera.net>
On Thu, Mar 02 2017, David Bremner <david@tethera.net> wrote:
> SHA1 is weak/broken.
> ---
I'd just have 'build: use sha256sum instead of sha1sum to sign releases'
as a commit message.
Anyway, LGTM.
Tomi
PS: this is sha-2 256 -- that makes me wonder what will be the file suffix
for sha-3 256 (or for any other bits...)
> Makefile.global | 4 ++--
> Makefile.local | 9 ++++-----
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/Makefile.global b/Makefile.global
> index d8f335af..7a78e9b5 100644
> --- a/Makefile.global
> +++ b/Makefile.global
> @@ -43,8 +43,8 @@ RELEASE_URL=https://notmuchmail.org/releases
> TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
> ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
> DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
> -SHA1_FILE=$(TAR_FILE).sha1
> -GPG_FILE=$(SHA1_FILE).asc
> +SHA256_FILE=$(TAR_FILE).sha256
> +GPG_FILE=$(SHA256_FILE).asc
>
> PV_FILE=bindings/python/notmuch/version.py
>
> diff --git a/Makefile.local b/Makefile.local
> index 3548ed96..d2ef3e08 100644
> --- a/Makefile.local
> +++ b/Makefile.local
> @@ -36,12 +36,11 @@ $(TAR_FILE):
> gzip < $(TAR_FILE).tmp > $(TAR_FILE)
> @echo "Source is ready for release in $(TAR_FILE)"
>
> -$(SHA1_FILE): $(TAR_FILE)
> - sha1sum $^ > $@
> +$(SHA256_FILE): $(TAR_FILE)
> + sha256sum $^ > $@
>
> -$(GPG_FILE): $(SHA1_FILE)
> - @echo "Please enter your GPG password to sign the checksum."
> - gpg --armor --sign $^
> +$(GPG_FILE): $(SHA256_FILE)
> + gpg --armor --sign $^
>
> .PHONY: dist
> dist: $(TAR_FILE)
> --
> 2.11.0
>
> _______________________________________________
> notmuch mailing list
> notmuch@notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
next prev parent reply other threads:[~2017-03-02 15:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-02 0:44 [PATCH] build: use sha256sum instead of sha1sum to sign releases David Bremner
2017-03-02 15:10 ` Tomi Ollila [this message]
2017-03-02 21:37 ` David Bremner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2efyfyart.fsf@guru.guru-group.fi \
--to=tomi.ollila@iki.fi \
--cc=david@tethera.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).