On Tue, 2016-03-22 at 09:12 -0400, Josh Boyer wrote: > On Tue, Mar 22, 2016 at 9:02 AM, David Woodhouse <dw...@infradead.org > > wrote: > > > > The original draft does raise an interesting question — do we need > > to put the upstream PGP key directly into the package git tree > > instead of the lookaside cache? > > > > I suppose while the lookaside cache is still only using MD5(!) to > > validate what it downloads, the answer to that is an unequivocal > > 'yes'. > As an aside, I think Till has code written to make the lookaside use > sha256. I'm not sure what the next steps are to get that rolled out > though.
Code-wise, everything is ready, both on the server-side and on the client-side. The only thing needed now is to flip the switch from md5 to sha512. But doing so would mandate an upgrade for every packager, since enforcing sha512 means older fedpkg versions still using md5 would get their uploads refused. As a result, the Releng team collectively decided to hold off the move, and bundle it with other similarly breaking changes (new Koji certificates, for example) All the details are here: https://fedorahosted.org/rel-eng/ticket/5846 -- Mathieu -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
