On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote: > Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a): > > > On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote: > > > Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a): > > > So Ralph and I wrote summershum, it's a simple database storing for each file in > > > each package: > > > - the packages name > > > - the filename > > > - the sha1sum of the file > > > - the tarball name > > > - the md5sum of the tarball > > > > > > I don't think we should use md5sum. It is disabled by default in recent > > > OpenSSL if I am not mistaken. > > That's what we use in the lookaside cache (the source file in your git) > > Interesting, since review guidelines [1] says this: > > MUST: The sources used to build the package must match the upstream > source, as provided in the spec URL. Reviewers should use sha256sum > for this task as it is used by the sources file once imported into > git. > > But checking some of my packages, you are right that the "sources" > file has md5 has. May be somebody could look into this as well. Afaik, the hashing mechanism to use is defined in the fedpkg configuration file: https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf So theoretically, you could change it locally, and the sources you upload would then have their sha256sum in the `sources` file. But then, people who would download them with `fedpkg sources` (that includes Koji builders) would receive error messages that the checksum does not match. So we would probably need to add a fallback mechanism in pyrpkg, so that if sha256 verification fails, then it would try md5. -- Mathieu _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
