From ce04ca31231138105fae3b0dda1670c6ec0e2dcb Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 26 Oct 2020 04:03:29 +0100 Subject: [PATCH] Use sha256 for hashes in the release process I just came across the GDB 10.1 release notes and saw that md5 is still being used in those. I thought it would be a good idea to instead have a more modern, secure and wildly available hash function such as SHA256 as part of the release process. The changes have been done rather mechnically via sed but executing the `src-release.sh -b gdb` did work so I am confident about the result. While this does not directly address the release mails, I was wasn't able to find the template/script used for those, this is probably still an improvement. ChangeLog: * src-release.sh: Use sha256sum instead of md5sum. binutils/ChangeLog: * README-how-to-make-a-release: Use sha256sum instead of md5sum. Change-Id: I9cf19ea40699137c45463b8514f6e29271af2347 --- ChangeLog | 4 ++++ binutils/ChangeLog | 4 ++++ binutils/README-how-to-make-a-release | 4 ++-- src-release.sh | 18 +++++++++--------- 4 files changed, 19 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9daa7be3226..c9a2f336148 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2020-10-26 Andreas Rammhold + + * src-release.sh: Use sha256sum instead of md5sum. + 2020-10-14 Andrew Burgess * Makefile.in: Rebuild. diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 838f8b8b733..5bd21259443 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,7 @@ +2020-10-26 Andreas Rammhold + + * README-how-to-make-a-release: Use sha256sum instead of md5sum. + 2020-10-28 Nick Clifton PR 26795 diff --git a/binutils/README-how-to-make-a-release b/binutils/README-how-to-make-a-release index abb2438c5c4..db962e2f550 100644 --- a/binutils/README-how-to-make-a-release +++ b/binutils/README-how-to-make-a-release @@ -124,7 +124,7 @@ How to perform a release. cd scp binutils-.90.tar.xz sourceware.org:~ftp/pub/binutils/snapshots - ssh sourceware.org md5sum ~ftp/pub/binutils/snapshots/binutils-.90.tar.xz + ssh sourceware.org sha256sum ~ftp/pub/binutils/snapshots/binutils-.90.tar.xz e. Clean up the source directory again. @@ -364,7 +364,7 @@ Cheers David Edelsohn announcing the new release. Sign the email and include the checksum: - md5sum binutils-2.3x.tar.* + sha256sum binutils-2.3x.tar.* (The email to Davis is so that he can update the GNU Toolchain social media). Something like this: diff --git a/src-release.sh b/src-release.sh index 1f69deeb0e6..fd65856a55c 100755 --- a/src-release.sh +++ b/src-release.sh @@ -26,7 +26,7 @@ BZIPPROG=bzip2 GZIPPROG=gzip LZIPPROG=lzip XZPROG=xz -MD5PROG=md5sum +SHA256PROG=sha256sum MAKE=make CC=gcc CXX=g++ @@ -168,15 +168,15 @@ do_proto_toplev() CVS_NAMES='-name CVS -o -name .cvsignore' -# Add an md5sum to the built tarball -do_md5sum() +# Add a sha256sum to the built tarball +do_sha256sum() { - echo "==> Adding md5 checksum to top-level directory" + echo "==> Adding sha256 checksum to top-level directory" (cd proto-toplev && find * -follow \( $CVS_NAMES \) -prune \ -o -type f -print \ - | xargs $MD5PROG > ../md5.new) - rm -f proto-toplev/md5.sum - mv md5.new proto-toplev/md5.sum + | xargs $SHA256PROG > ../sha256.new) + rm -f proto-toplev/sha256.sum + mv sha256.new proto-toplev/sha256.sum } # Build the release tarball @@ -276,7 +276,7 @@ tar_compress() verdir=${5:-$tool} ver=$(getver $verdir) do_proto_toplev $package $ver $tool "$support_files" - do_md5sum + do_sha256sum do_tar $package $ver do_compress $package $ver "$compressors" } @@ -290,7 +290,7 @@ gdb_tar_compress() compressors=$4 ver=$(getver $tool) do_proto_toplev $package $ver $tool "$support_files" - do_md5sum + do_sha256sum do_djunpack $package $ver do_tar $package $ver do_compress $package $ver "$compressors" -- 2.30.2