Looking how our snapshots are secured in terms of checksums, I
noticed we're still using MD5 and SHA-1 hashes.
Which is unfortunate, given that MD5 has been considered weak for
what, a decade?, and SHA-1 has been considered weak for years as
well and now been demonstrated broken for real.
So I went ahead and added SHA-256 as new primary hash, demoting
SHA-1 to secondary, and removing MD5.
I also updated the copy of this script on gcc.gnu.org and will
have a closer look at coming snapshots.
Gerald
2017-03-03 Gerald Pfeifer <ger...@pfeifer.com>
* gcc_release (snapshot_print): Replace md5 checksum by sha256.
Index: gcc_release
===================================================================
--- gcc_release (revision 245874)
+++ gcc_release (revision 245875)
@@ -356,7 +356,7 @@
# Print description if snapshot exists.
snapshot_print() {
if [ -e ${RELEASE}/$1 ]; then
- hash=`openssl md5 ${RELEASE}/$1 | sed -e 's#(.*)##' -e 's# *= *#=#'`
+ hash=`openssl sha256 ${RELEASE}/$1 | sed -e 's#(.*)##' -e 's# *= *#=#'`
hash2=`openssl sha1 ${RELEASE}/$1 | sed -e 's#(.*)##' -e 's# *= *#=#'`
printf " %-37s%s\n\n %s\n %s\n\n" "$1" "$2" "$hash" "$hash2" \
