Michal Schorm wrote:
> The time had to come, when two packages would generate the same hash.
Well, yes, depending on hash codes being globally unique is broken by
design. Hash collisions exist. They can happen both by accident (because
hash functions cannot possibly be injective because the range is smaller
than the domain) and by design (when really the same binary is compiled
under the same conditions twice, or even a binary from a third party is
bundled by multiple proprietary RPMs, which I suspect is what happened for
discord and skypeforlinux).
The build-id concept needs to be completely redesigned to not rely on hash
codes. We should go by file name or even package EVR + file name (as a
complete string, not hashed) instead. (In fact, that used to be how things
worked before build-ids were introduced, and there were never any issues
with that approach.)
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
