On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote:
Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a):
> On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote:
> > Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a):
> > So Ralph and I wrote summershum, it's a simple database storing for each
file in
> > each package:
> > - the packages name
> > - the filename
> > - the sha1sum of the file
> > - the tarball name
> > - the md5sum of the tarball
> >
> > I don't think we should use md5sum. It is disabled by default in recent
> > OpenSSL if I am not mistaken.
> That's what we use in the lookaside cache (the source file in your git)
Interesting, since review guidelines [1] says this:
MUST: The sources used to build the package must match the upstream
source, as provided in the spec URL. Reviewers should use sha256sum
for this task as it is used by the sources file once imported into
git.
But checking some of my packages, you are right that the "sources"
file has md5 has. May be somebody could look into this as well.
Afaik, the hashing mechanism to use is defined in the fedpkg
configuration file:
https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf
So theoretically, you could change it locally, and the sources you
upload would then have their sha256sum in the `sources` file.
But then, people who would download them with `fedpkg sources` (that
includes Koji builders) would receive error messages that the checksum
does not match.
So we would probably need to add a fallback mechanism in pyrpkg, so that
if sha256 verification fails, then it would try md5.
--
Mathieu