Development: Jhbuild moduleset: SHA256 hash instead of MD5

view full story

http://permalink.gmane.org – As MD5 is insecure, the GNOME 2.28 modulesets in jhbuild have been switched to SHA256 when using Python 2.5 or newer. NOTE: Please still fill in the md5sum attribute for old Pythoners. This has a few implications. 1. When adding new tarballs to a jhbuild moduleset file Make sure to add it in the following format: <branch module="releases/cairo-1.8.6.tar.gz" version="1.8.6" repo="cairo.org" hash="sha256:93a347af0cecf258be8fb54265b16a0fb16317df4a32896141d2987c30773535" md5sum="4e64139ef6f668df24450f3b81dd0771" size="6616544"> The hash attribute is new and its value MUST be prefixed with "sha256:". Jhbuild does support other hash methods (whatever Python allows), but please only use sha256. IMPORTANT: Make sure to still fill in the md5sum attribute. This for people with Python 2.4 or before (our RHEL5 buildbot). 2. For people with Python 2.4 or lower Jhbuild will only look at the hash attribute in case the md5sum wasn't specified. This to try and ensure you'll still be able to verify the tarballs with md5. 3. People with custom modulesets Jhbuild will still look at the md5sum attribute in case the hash attribute is not specified (with some special exception for Python 2.4 or lower). Meaning: everything will work as before (file a bug if not) 4. People with an old jhbuild After committing the sha256 modulesets I noticed a small bug how jhbuild handled the hash attribute. In any case, please do a 'git pull --rebase' in case you receive errors. 5. People using the release team modulesets The tarball modulesets provided by the release team as of 2.27.5 will only contain a SHA256 hash. When using these modulesets on Python 2.4 or before you will get a warning about an unsupported hash method. The release team moduleset are files such as: http://download.gnome.org/teams/releng/2.27.4/gnome-suites-2.27.4.modules (Software)