On 2/24/2017 6:26 AM, Daniel Shahaf wrote:
> Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:
>> +++ tools/dist/release.py (working copy)
>> @@ -537,9 +537,9 @@ def roll_tarballs(args):
>>
>> shutil.move(filename, get_deploydir(args.base_dir))
>> filename = os.path.join(get_deploydir(args.base_dir), filename)
>> - m = hashlib.sha1()
>> + m = hashlib.sha512()
>> m.update(open(filename, 'r').read())
>> - open(filename + '.sha1', 'w').write(m.hexdigest())
>> + open(filename + '.sha512', 'w').write(m.hexdigest())
> Should we keep generating both .sha1 and .sha512 for a transition
> period?
>
IMO this would make sense. At least on Windows there are still several
tools to verify file integrity which don't support SHA-512 just yet (one
example [1]). Might pose another burden for some users to verify the
package integrity (which on Windows isn't a functionality build directly
into the OS unfortunately).
[1]
https://support.microsoft.com/en-us/help/841290/availability-and-description-of-the-file-checksum-integrity-verifier-utility
--
Regards,
Stefan Hett
Received on 2017-02-24 11:30:12 CET