md5 vs sha256 in dist-git sources
Mathieu Bridon
bochecha at fedoraproject.org
Wed Feb 12 14:29:14 UTC 2014
On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote:
> Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a):
>
> > On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote:
> > > Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a):
> > > So Ralph and I wrote summershum, it's a simple database storing for each file in
> > > each package:
> > > - the packages name
> > > - the filename
> > > - the sha1sum of the file
> > > - the tarball name
> > > - the md5sum of the tarball
> > >
> > > I don't think we should use md5sum. It is disabled by default in recent
> > > OpenSSL if I am not mistaken.
> > That's what we use in the lookaside cache (the source file in your git)
>
> Interesting, since review guidelines [1] says this:
>
> MUST: The sources used to build the package must match the upstream
> source, as provided in the spec URL. Reviewers should use sha256sum
> for this task as it is used by the sources file once imported into
> git.
>
> But checking some of my packages, you are right that the "sources"
> file has md5 has. May be somebody could look into this as well.
Afaik, the hashing mechanism to use is defined in the fedpkg
configuration file:
https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf
So theoretically, you could change it locally, and the sources you
upload would then have their sha256sum in the `sources` file.
But then, people who would download them with `fedpkg sources` (that
includes Koji builders) would receive error messages that the checksum
does not match.
So we would probably need to add a fallback mechanism in pyrpkg, so that
if sha256 verification fails, then it would try md5.
--
Mathieu
More information about the infrastructure
mailing list