Front page | perl.perl5.porters |
Postings from February 2022
On 2/2/22 03:00, Michiel Beijen wrote:
> On Fri, Jan 21, 2022 at 3:55 AM Dennis Clarke via perl5-porters
> <perl5-porters@perl.org> wrote:
>>
>> On 1/20/22 17:53, Nicolas R. wrote:
>>> SHA1 digests for this release are:
>>>
>>> ae216761e14aaa0f052a8d97c8543d13c133d3de perl-5.35.8.tar.gz
>>> d674bd65ac949492728c19d5e25c63eac05023fc perl-5.35.8.tar.xz
>>
>> Why use the old ( and somewhat broken ) SHA1 for message digests?
>> The new ( and not broken ) SHA256 or even SHA3-256 would get the
>> job done just fine. Everyone has these in any recent OpenSSL as
>> message digest options.
>
> Hi Dennis,
> I decided to check into this, and found that the shasums in the
> release announcement are taken from PAUSE, the Perl Authors Upload
> SErver.
>
> So I sent a patch to PAUSE to use SHA256 and to remove the SHA1 and
> MD5sums, which got applied and deployed within hours!
> https://github.com/andk/pause/pull/379
> Then I went ahead and updated the Perl releasers instructions to
> update the text in the PORTING instructions, which was also merged
> very quickly --> https://github.com/Perl/perl5/pull/19386
>
> So the next perl release announcement will now have SHA256, thanks to
> your suggestion and to the responsive PAUSE and Perl maintainers!
>
Excellent and thank you very much. I did note that the primary source
tarball server does provide SHA256 hash data and looks like it always
has for years :
https://www.cpan.org/src/5.0/perl-5.35.8.tar.gz.sha256.txt
Of course it just seemed odd to me that md5 and sha1 were in the actual
release announcement email.
Thank you for the update Sir.
--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
Thread Previous