Lookaside: Move away from md5
Mathieu Bridon
bochecha at fedoraproject.org
Wed Mar 19 05:23:27 UTC 2014
So, a couple of things came out of the meeting on Monday concerning
these changes.
----
First, people seemed to be in agreement that having the hash type in the
path on the lookaside cache was a good idea.
That should just be a trivial change to one of the patches:
https://lists.fedoraproject.org/pipermail/infrastructure/2014-March/014189.html
I'll submit a new version of that one soon.
----
However, the discussion showed that we didn't have a clear consensus on
whether we would use only one hash or several, and which one(s) we'd
use.
To me, one thing is clear: we should keep the existing md5 hashes around
for some time, at least as long as some package modules still use a md5
hash in their "sources" file.
Dennis wants us to "convert" all of these to stronger hashes, which we
could certainly do. (I'll start looking into writing a script that does
that soon)
But the question is about what to do on new uploads.
I would personally prefer that we stored only one hash, and that we'd
use the strongest currently available. (that would be sha512?)
But Till made the point that storing multiple hashes makes it easier to
compare our sources with other projects or upstreams (as they might have
hashes for different algorithms).
At this point, I don't mind implementing that, but it seems others
preferred having only one hash...
As I said in the meeting, I'm happy to implement whatever ends up being
the consensus. Can we build one? :)
--
Mathieu
More information about the rel-eng
mailing list