Makefile: Compute and display SHA-256 of tarballs in `make release`

gnu-octave / symbolic

A Symbolic Package for Octave using SymPy

https://octave.sourceforge.io/symbolic/

GNU General Public License v3.0

151 stars 36 forks source link

Makefile: Compute and display SHA-256 of tarballs in `make release` #1208

Open alexvong243f opened 2 years ago

alexvong243f commented 2 years ago

We should compute and display SHA-256 hashes of tarballs in make release and make it clear that MD5 is unsafe and for compatibility only. I think we should keep all the MD5 hashes for now to avoid any compatibility issues related to sourceforge. But after sourceforge is retired, it should be safe to remove all uses of MD5.

HOWTO-release.md should also be updated accordingly.

Related to #1180.

cbm755 commented 2 years ago

Sounds good but I'm not sure how much of the pkg install -forge routines use md5 and those are still in use back to Octave 4 or something like that. So thread lightly and keep both!

alexvong243f commented 2 years ago

Sure, we should wait long enough and test throughly before removing any legacy stuff.

Also, we should investigate whether upstream is still using legacy hash functions such as MD5 or SHA-1 and fix it accordingly. For instance, help hash still uses MD5 and SHA-1 as the only examples, which isn't helpful if we want users not to use them...