On Thu, 2009-11-19 at 06:09 +0530, Rahul Sundaram wrote: > On 11/19/2009 06:04 AM, Ladislav Bodnar wrote: > > On Thursday 19 November 2009, Rahul Sundaram wrote: > >> Note that changing HASH: SHA1 to anything else in the top of the file > >> will make the gpg check fail since it writes it out that way. So it's > >> sort of a tricky issue to solve. Not sloppiness. > > > > Maybe it would be simpler to call the file SHA256SUM (or SHA256) instead of > > CHECKSUM? As far as I remember, these files used to be called MD5SUM, then > > SHA1SUM, which made it very clear what was inside. But with so many > > different checksum standards, calling the file CHECKSUM is bound to lead to > > confusion. > > I think the generic name was picked up because nobody believes that > SHA256 hashes are going to be cryptographically secure for a long time > and we are bound to switch to stronger checksums over a period of time > but I think, a clear filename does make it more easier to avoid this > mass confusion. Jesse Keating? > > Rahul > Changing the filename each time was getting to be a hassle, so we named the file generically. This happened not only in pungi, but in many of the other tools we had to update when moving from md5 or sha1 to sha256. Since we know we'll have to do it again we've made that task easier next time. The solution here is to put a blurb in the file itself about how to verify it. That is something I'm going to do, but by the time it was suggested and I conceded that it was needed, we were past the feature freeze and I was not going to introduce a feature in our compose tool at that point. -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list