Re: md5 vs sha256 in dist-git sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote:
> Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a):
> 
> > On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote:
> > >    Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a):
> > >  So Ralph and I wrote summershum, it's a simple database storing for each file in
> > >  each package:
> > >   - the packages name
> > >   - the filename
> > >   - the sha1sum of the file
> > >   - the tarball name
> > >   - the md5sum of the tarball
> > > 
> > >    I don't think we should use md5sum. It is disabled by default in recent
> > >    OpenSSL if I am not mistaken.
> > That's what we use in the lookaside cache (the source file in your git)
> 
> Interesting, since review guidelines [1] says this:
> 
> MUST: The sources used to build the package must match the upstream
> source, as provided in the spec URL. Reviewers should use sha256sum
> for this task as it is used by the sources file once imported into
> git.
> 
> But checking some of my packages, you are right that the "sources"
> file has md5 has. May be somebody could look into this as well.


Afaik, the hashing mechanism to use is defined in the fedpkg
configuration file:

https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf

So theoretically, you could change it locally, and the sources you
upload would then have their sha256sum in the `sources` file.

But then, people who would download them with `fedpkg sources` (that
includes Koji builders) would receive error messages that the checksum
does not match.

So we would probably need to add a fallback mechanism in pyrpkg, so that
if sha256 verification fails, then it would try md5.


-- 
Mathieu

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure





[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux