On 2/24/2017 6:26 AM, Daniel Shahaf wrote:
Andreas Stieger wrote on Thu, Feb 23, 2017 at 21:08:43 +0100:
+++ tools/dist/release.py (working copy)
@@ -537,9 +537,9 @@ def roll_tarballs(args):
shutil.move(filename, get_deploydir(args.base_dir))
filename = os.path.join(get_deploydir(args.base_dir), filename)
- m = hashlib.sha1()
+ m = hashlib.sha512()
m.update(open(filename, 'r').read())
- open(filename + '.sha1', 'w').write(m.hexdigest())
+ open(filename + '.sha512', 'w').write(m.hexdigest())
Should we keep generating both .sha1 and .sha512 for a transition
period?
IMO this would make sense. At least on Windows there are still several
tools to verify file integrity which don't support SHA-512 just yet (one
example [1]). Might pose another burden for some users to verify the
package integrity (which on Windows isn't a functionality build directly
into the OS unfortunately).
[1]
https://support.microsoft.com/en-us/help/841290/availability-and-description-of-the-file-checksum-integrity-verifier-utility
--
Regards,
Stefan Hett
