#5846: move away from md5 for look-aside cache

[Fedora Release Engineering]

#5846: move away from md5 for look-aside cache
-------------------+-----------------------
  Reporter:  till  |      Owner:  rel-eng@…
      Type:  task  |     Status:  new
 Milestone:        |  Component:  other
Resolution:        |   Keywords:
Blocked By:        |   Blocking:
-------------------+-----------------------

Comment (by bochecha):

 So, I've been attaching quite a few patches here, and I can't find a way
 to mark some as obsolete, so here are the details.

 First, these patches can be totally ignored, as I found tmz's suggestion
 comment 8 would be better than what I had done:

 * 0001-lookaside-Add-a-new-fallback-hash.patch
 * 0001-lookaside-Adapt-to-the-rpkg-change.patch
 * 0002-lookaside-Use-sha256-instead-of-md5-by-default.patch

 Then, 0001-lookaside-Determine-which-hash-function-was-used.patch is a
 patch to apply to rpkg, which implements the following:

 * when verifying a source file, determine the hash used from the length of
 the hashed string
 * nothing changes when uploading: the hash used is the one set in the
 configuration file

 Finally, 0001-lookaside-Support-more-than-just-md5sum.patch is for the
 upload.cgi script on the lookaside server, so that when a file is
 uploaded, we don't assume the hash is md5, but determine it from the
 length of the hashed string.

 One note though: the patch for the lookaside drops compatibility with
 older versions of Python which didn't have the hashlib module.

 Those versions didn't have hash functions other than md5 and sha1, so it
 wouldn't have been possible to deal with sha256 or sha512.

 I was assured that our lookaside runs on EL 6 though, which has a recent
 enough Python, and it's the system I tested these changes on.

-- 
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5846#comment:14>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project