Dne 12.2.2014 15:29, Mathieu Bridon napsal(a): > On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote: >> Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a): >> >>> On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote: >>>> Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a): >>>> So Ralph and I wrote summershum, it's a simple database storing for each file in >>>> each package: >>>> - the packages name >>>> - the filename >>>> - the sha1sum of the file >>>> - the tarball name >>>> - the md5sum of the tarball >>>> >>>> I don't think we should use md5sum. It is disabled by default in recent >>>> OpenSSL if I am not mistaken. >>> That's what we use in the lookaside cache (the source file in your git) >> Interesting, since review guidelines [1] says this: >> >> MUST: The sources used to build the package must match the upstream >> source, as provided in the spec URL. Reviewers should use sha256sum >> for this task as it is used by the sources file once imported into >> git. >> >> But checking some of my packages, you are right that the "sources" >> file has md5 has. May be somebody could look into this as well. > > Afaik, the hashing mechanism to use is defined in the fedpkg > configuration file: > > https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf > > So theoretically, you could change it locally, and the sources you > upload would then have their sha256sum in the `sources` file. > > But then, people who would download them with `fedpkg sources` (that > includes Koji builders) would receive error messages that the checksum > does not match. > > So we would probably need to add a fallback mechanism in pyrpkg, so that > if sha256 verification fails, then it would try md5. > > Looks to be sub-optimal so to say :) Vít _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
