[PATCH] Use sha256 for hashes in the release process

[PATCH] Use sha256 for hashes in the release process

[andreas]

From: Andreas Rammhold <andreas@rammhold.de>

I just came across the GDB 10.1 release notes and saw that md5 is still
being used in those. I thought it would be a good idea to instead have a
more modern, secure and wildly available hash function such as SHA256 as
part of the release process.

The changes have been done rather mechnically via sed but executing the
`src-release.sh -b gdb` did work so I am confident about the result.

While this does not directly address the release mails, as I was wasn't
able to find the template/script used for those, this is probably still
an improvement.

ChangeLog:
	* src-release.sh: Use sha256sum instead of md5sum.

binutils/ChangeLog:
	* README-how-to-make-a-release: Use sha256sum instead of md5sum.
---
 ChangeLog                             |  3 +++
 binutils/ChangeLog                    |  3 +++
 binutils/README-how-to-make-a-release |  4 ++--
 src-release.sh                        | 18 +++++++++---------
 4 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9daa7be322..e9e5f754bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2020-10-26  Andreas Rammhold <andreas@rammhold.de>
+	* src-release.sh: Use sha256sum instead of md5sum.
+
 2020-10-14  Andrew Burgess  <andrew.burgess@embecosm.com>
 
 	* Makefile.in: Rebuild.
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 4c14fd1510..8772a930b2 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,6 @@
+2020-10-26  Andreas Rammhold <andreas@rammhold.de>
+	* README-how-to-make-a-release: Use sha256sum instead of md5sum.
+
 2020-10-22  H.J. Lu  <hongjiu.lu@intel.com>
 
 	* testsuite/binutils-all/objcopy.exp (objcopy_test): Report
diff --git a/binutils/README-how-to-make-a-release b/binutils/README-how-to-make-a-release
index abb2438c5c..db962e2f55 100644
--- a/binutils/README-how-to-make-a-release
+++ b/binutils/README-how-to-make-a-release
@@ -124,7 +124,7 @@ How to perform a release.
 
           cd <branch-sources>
           scp binutils-<OLD_VERSION>.90.tar.xz sourceware.org:~ftp/pub/binutils/snapshots
-          ssh sourceware.org md5sum ~ftp/pub/binutils/snapshots/binutils-<OLD_VERSION>.90.tar.xz
+          ssh sourceware.org sha256sum ~ftp/pub/binutils/snapshots/binutils-<OLD_VERSION>.90.tar.xz
 
      e. Clean up the source directory again.
 
@@ -364,7 +364,7 @@ Cheers
       David Edelsohn <dje.gcc@gmail.com> announcing the new release.
       Sign the email and include the checksum:
 
-          md5sum binutils-2.3x.tar.*
+          sha256sum binutils-2.3x.tar.*
 
       (The email to Davis is so that he can update the GNU Toolchain
       social media).  Something like this:
diff --git a/src-release.sh b/src-release.sh
index 1f69deeb0e..0ed467125b 100755
--- a/src-release.sh
+++ b/src-release.sh
@@ -26,7 +26,7 @@ BZIPPROG=bzip2
 GZIPPROG=gzip
 LZIPPROG=lzip
 XZPROG=xz
-MD5PROG=md5sum
+SHA256PROG=sha256sum
 MAKE=make
 CC=gcc
 CXX=g++
@@ -168,15 +168,15 @@ do_proto_toplev()
 
 CVS_NAMES='-name CVS -o -name .cvsignore'
 
-# Add an md5sum to the built tarball
-do_md5sum()
+# Add an sha256sum to the built tarball
+do_sha256sum()
 {
-    echo "==> Adding md5 checksum to top-level directory"
+    echo "==> Adding sha256 checksum to top-level directory"
     (cd proto-toplev && find * -follow \( $CVS_NAMES \) -prune \
 	-o -type f -print \
-	| xargs $MD5PROG > ../md5.new)
-    rm -f proto-toplev/md5.sum
-    mv md5.new proto-toplev/md5.sum
+	| xargs $SHA256PROG > ../sha256.new)
+    rm -f proto-toplev/sha256.sum
+    mv sha256.new proto-toplev/sha256.sum
 }
 
 # Build the release tarball
@@ -276,7 +276,7 @@ tar_compress()
     verdir=${5:-$tool}
     ver=$(getver $verdir)
     do_proto_toplev $package $ver $tool "$support_files"
-    do_md5sum
+    do_sha256sum
     do_tar $package $ver
     do_compress $package $ver "$compressors"
 }
@@ -290,7 +290,7 @@ gdb_tar_compress()
     compressors=$4
     ver=$(getver $tool)
     do_proto_toplev $package $ver $tool "$support_files"
-    do_md5sum
+    do_sha256sum
     do_djunpack $package $ver
     do_tar $package $ver
     do_compress $package $ver "$compressors"
-- 
2.28.0

Re: [PATCH] Use sha256 for hashes in the release process

[Simon Marchi]

On 2020-10-25 9:33 p.m., andreas@rammhold.de wrote:

The binutils mailing list should be included in this patch (I added it
in this message).  See here for the patch:

    https://sourceware.org/pipermail/gdb-patches/2020-October/172848.html

> From: Andreas Rammhold <andreas@rammhold.de>
>
> I just came across the GDB 10.1 release notes and saw that md5 is still
> being used in those. I thought it would be a good idea to instead have a
> more modern, secure and wildly available hash function such as SHA256 as
> part of the release process.
>
> The changes have been done rather mechnically via sed but executing the
> `src-release.sh -b gdb` did work so I am confident about the result.
>
> While this does not directly address the release mails, as I was wasn't
> able to find the template/script used for those, this is probably still
> an improvement.

That sounds good to me.  I'm sure an argument against that will be that
it will break some people's scripts.  But in this case, I think a small
change like that (easy to adjust to), that impacts security (although
still a theoritical risk) is reasonable.

I am also not the one who does releases for GDB (nor binutils), so I
don't know what else this would impact.

> @@ -168,15 +168,15 @@ do_proto_toplev()
>
>  CVS_NAMES='-name CVS -o -name .cvsignore'
>
> -# Add an md5sum to the built tarball
> -do_md5sum()
> +# Add an sha256sum to the built tarball

Nit: an -> a

Simon

Re: [PATCH] Use sha256 for hashes in the release process

[andreas]

On 22:24 25.10.20, Simon Marchi wrote:
> > @@ -168,15 +168,15 @@ do_proto_toplev()
> >
> >  CVS_NAMES='-name CVS -o -name .cvsignore'
> >
> > -# Add an md5sum to the built tarball
> > -do_md5sum()
> > +# Add an sha256sum to the built tarball
> 
> Nit: an -> a

Fixed in v2

Re: [PATCH] Use sha256 for hashes in the release process

[Andreas Schwab]

On Okt 25 2020, Simon Marchi wrote:

>> @@ -168,15 +168,15 @@ do_proto_toplev()
>>
>>  CVS_NAMES='-name CVS -o -name .cvsignore'
>>
>> -# Add an md5sum to the built tarball
>> -do_md5sum()
>> +# Add an sha256sum to the built tarball
>
> Nit: an -> a

Are you sure?  How would you pronounce sha256sum?

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: [PATCH] Use sha256 for hashes in the release process

[Simon Marchi]

On 2020-10-26 3:46 a.m., Andreas Schwab wrote:
> On Okt 25 2020, Simon Marchi wrote:
> 
>>> @@ -168,15 +168,15 @@ do_proto_toplev()
>>>
>>>  CVS_NAMES='-name CVS -o -name .cvsignore'
>>>
>>> -# Add an md5sum to the built tarball
>>> -do_md5sum()
>>> +# Add an sha256sum to the built tarball
>>
>> Nit: an -> a
> 
> Are you sure?  How would you pronounce sha256sum?

"a shaw two fifty-six sum".

Simon

Re: [PATCH] Use sha256 for hashes in the release process

[Andreas Schwab]

On Okt 26 2020, Simon Marchi wrote:

> On 2020-10-26 3:46 a.m., Andreas Schwab wrote:
>> On Okt 25 2020, Simon Marchi wrote:
>> 
>>>> @@ -168,15 +168,15 @@ do_proto_toplev()
>>>>
>>>>  CVS_NAMES='-name CVS -o -name .cvsignore'
>>>>
>>>> -# Add an md5sum to the built tarball
>>>> -do_md5sum()
>>>> +# Add an sha256sum to the built tarball
>>>
>>> Nit: an -> a
>> 
>> Are you sure?  How would you pronounce sha256sum?
>
> "a shaw two fifty-six sum".

But SHA is an abbreviation, so I would expect ES EITCH EI.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: [PATCH] Use sha256 for hashes in the release process

[Simon Marchi]

On 2020-10-26 9:31 a.m., Andreas Schwab wrote:
> But SHA is an abbreviation, so I would expect ES EITCH EI.

More precisely, it is an acronym.  And acronyms are pronounced as a word
all the time.  Since it's much easier to say "shaw" than "s-h-a", I
presume most people say "shaw" (that's how I've always heard it anyway).

Simon

Re: [PATCH] Use sha256 for hashes in the release process

[Andreas Schwab]

On Okt 26 2020, Simon Marchi wrote:

> On 2020-10-26 9:31 a.m., Andreas Schwab wrote:
>> But SHA is an abbreviation, so I would expect ES EITCH EI.
>
> More precisely, it is an acronym.  And acronyms are pronounced as a word
> all the time.  Since it's much easier to say "shaw" than "s-h-a", I
> presume most people say "shaw" (that's how I've always heard it anyway).

So the right thing to do is to reformulate the sentence so that it
doesn't depend on sha256sum being a word.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."