[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] use SHA-2 family hash for releases

From: Stefan Hett <stefan_at_egosoft.com>
Date: Fri, 24 Feb 2017 11:30:02 +0100

On 2/24/2017 6:26 AM, Daniel Shahaf wrote:
> Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:
>> +++ tools/dist/release.py (working copy)
>> @@ -537,9 +537,9 @@ def roll_tarballs(args):
>>
>> shutil.move(filename, get_deploydir(args.base_dir))
>> filename = os.path.join(get_deploydir(args.base_dir), filename)
>> - m = hashlib.sha1()
>> + m = hashlib.sha512()
>> m.update(open(filename, 'r').read())
>> - open(filename + '.sha1', 'w').write(m.hexdigest())
>> + open(filename + '.sha512', 'w').write(m.hexdigest())
> Should we keep generating both .sha1 and .sha512 for a transition
> period?
>
IMO this would make sense. At least on Windows there are still several
tools to verify file integrity which don't support SHA-512 just yet (one
example [1]). Might pose another burden for some users to verify the
package integrity (which on Windows isn't a functionality build directly
into the OS unfortunately).

[1]
https://support.microsoft.com/en-us/help/841290/availability-and-description-of-the-file-checksum-integrity-verifier-utility

-- 
Regards,
Stefan Hett
Received on 2017-02-24 11:30:12 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.