md5 vs sha256 in dist-git sources
Vít Ondruch
vondruch at redhat.com
Wed Feb 12 12:44:47 UTC 2014
Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a):
> On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote:
>> Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a):
>> So Ralph and I wrote summershum, it's a simple database storing for each file in
>> each package:
>> - the packages name
>> - the filename
>> - the sha1sum of the file
>> - the tarball name
>> - the md5sum of the tarball
>>
>> I don't think we should use md5sum. It is disabled by default in recent
>> OpenSSL if I am not mistaken.
> That's what we use in the lookaside cache (the source file in your git)
Interesting, since review guidelines [1] says this:
*MUST*: The sources used to build the package must match the upstream
source, as provided in the spec URL. Reviewers should use sha256sum for
this task as it is used by the |sources| file once imported into git.
But checking some of my packages, you are right that the "sources" file
has md5 has. May be somebody could look into this as well.
Vít
[1] http://fedoraproject.org/wiki/Packaging:ReviewGuidelines
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140212/806c74a6/attachment.html>
More information about the infrastructure
mailing list