#5846: move away from md5 for look-aside cache

Wed Feb 12 16:10:59 UTC 2014

#5846: move away from md5 for look-aside cache
-------------------+-----------------------
  Reporter:  till  |      Owner:  rel-eng@…
      Type:  task  |     Status:  new
 Milestone:        |  Component:  other
Resolution:        |   Keywords:
Blocked By:        |   Blocking:
-------------------+-----------------------

Comment (by bochecha):

 > Wouldn't it be easier to change the syntax of the sources file, so it is
 clear, which hash was used?

 Other tools are based on the pyrpkg API, I know of at least:
 * nbpkg: my own fedpkg equivalent at $dayjob
 * goosepkg: GoOSe Linux's fedpkg equivalent
 * rhpkg: RHEL's fedpkg equivalent

 There might be others, for example I wouldn't be surprised if Centos was
 using it too.

 The fact that it was md5 previously is configured in the /etc/fedpkg.conf
 file, so you can't assume that all of these tools have been using md5 so
 far: they might very well have started from scratch with sha256 or
 example.

 To me, this is a strong argument in favour of being able to specify the
 previously used hash, as a fallback.

 It doesn't preclude the fact that we could indeed change the format of the
 sources file, of course.

 You mentioned the advantage: it makes it explicit which hash was used.

 The drawback is that the currently trivial way to fill it without fedpkg
 would not work any more:

 {{{
 $ md5sum foo-1.0.tar.xz > sources
 }}}

 In any case, I'd be happy to provide additional patches to implement this
 if people feel like it would be interesting. I still think that
 introducing a « previous hash » configuration option is important.

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5846#comment:7>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project