Opened 2 years ago

#6187 defect new

prefer sha256 over md5 for tarball/installer signature file

Reported by: teratorn Owned by:
Priority: normal Milestone:
Component: release management Keywords:
Cc: radix Branch:
Author: Launchpad Bug:

Description

The release process describes creating a signed manifest of md5 checksums for the various Twisted tarballs and installers produced during the release process.

Here proposing to use sha256 sums instead.

AFAICT, this involves:

Updating http://twistedmatrix.com/trac/wiki/ReleaseProcess and replace the line

e.g. md5sum Tw* | gpg -a --clearsign > twisted-$RELEASE-md5sums.txt

with

e.g. sha256sum Tw* | gpg -a --clearsign > twisted-$RELEASE-sha256sums.txt

And upon the next release, update the wording near the bottom of this page, http://twistedmatrix.com/trac/wiki/Downloads to not refer explicitly to md5.

But really this step should be automated, so I'll file a new ticket for that feature. Marking this as a defect, since md5 is known to be defective.

Change History (1)

comment:1 Changed 2 years ago by DefaultCC Plugin

  • Cc radix added
Note: See TracTickets for help on using tickets.