From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id Ocb1E4Azll8CEAAAWB0awg (envelope-from ) for ; Sun, 25 Oct 2020 22:25:04 -0400 Received: by simark.ca (Postfix, from userid 112) id 43C151F08D; Sun, 25 Oct 2020 22:25:04 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 8A4791E58D for ; Sun, 25 Oct 2020 22:25:03 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EBE3B384B13C; Mon, 26 Oct 2020 02:25:02 +0000 (GMT) Received: from simark.ca (simark.ca [158.69.221.121]) by sourceware.org (Postfix) with ESMTPS id DCB7A385DC30; Mon, 26 Oct 2020 02:25:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org DCB7A385DC30 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=simark.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=simark@simark.ca Received: from [10.0.0.11] (173-246-6-90.qc.cable.ebox.net [173.246.6.90]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by simark.ca (Postfix) with ESMTPSA id 456031E58D; Sun, 25 Oct 2020 22:25:00 -0400 (EDT) Subject: Re: [PATCH] Use sha256 for hashes in the release process To: andreas@rammhold.de, gdb-patches@sourceware.org, Binutils References: <20201026013347.6250-1-andreas@rammhold.de> From: Simon Marchi Message-ID: <2dcb2118-bd61-de63-60cb-e86abab0756e@simark.ca> Date: Sun, 25 Oct 2020 22:24:59 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201026013347.6250-1-andreas@rammhold.de> Content-Type: text/plain; charset=utf-8 Content-Language: fr Content-Transfer-Encoding: 7bit X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces@sourceware.org Sender: "Gdb-patches" On 2020-10-25 9:33 p.m., andreas@rammhold.de wrote: The binutils mailing list should be included in this patch (I added it in this message). See here for the patch: https://sourceware.org/pipermail/gdb-patches/2020-October/172848.html > From: Andreas Rammhold > > I just came across the GDB 10.1 release notes and saw that md5 is still > being used in those. I thought it would be a good idea to instead have a > more modern, secure and wildly available hash function such as SHA256 as > part of the release process. > > The changes have been done rather mechnically via sed but executing the > `src-release.sh -b gdb` did work so I am confident about the result. > > While this does not directly address the release mails, as I was wasn't > able to find the template/script used for those, this is probably still > an improvement. That sounds good to me. I'm sure an argument against that will be that it will break some people's scripts. But in this case, I think a small change like that (easy to adjust to), that impacts security (although still a theoritical risk) is reasonable. I am also not the one who does releases for GDB (nor binutils), so I don't know what else this would impact. > @@ -168,15 +168,15 @@ do_proto_toplev() > > CVS_NAMES='-name CVS -o -name .cvsignore' > > -# Add an md5sum to the built tarball > -do_md5sum() > +# Add an sha256sum to the built tarball Nit: an -> a Simon