Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a):

On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote:

   Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a):
 So Ralph and I wrote summershum, it's a simple database storing for each file in
 each package:
  - the packages name
  - the filename
  - the sha1sum of the file
  - the tarball name
  - the md5sum of the tarball

   I don't think we should use md5sum. It is disabled by default in recent
   OpenSSL if I am not mistaken.

That's what we use in the lookaside cache (the source file in your git)

Interesting, since review guidelines [1] says this:

MUST: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git.

But checking some of my packages, you are right that the "sources" file has md5 has. May be somebody could look into this as well.

Vít

[1] http://fedoraproject.org/wiki/Packaging:ReviewGuidelines