md5 vs sha256 in dist-git sources
Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a): > On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote: >>Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a): >> So Ralph and I wrote summershum, it's a simple database storing for each >> file in >> each package: >> - the packages name >> - the filename >> - the sha1sum of the file >> - the tarball name >> - the md5sum of the tarball >> >>I don't think we should use md5sum. It is disabled by default in recent >>OpenSSL if I am not mistaken. > That's what we use in the lookaside cache (the source file in your git) Interesting, since review guidelines [1] says this: *MUST*: The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the |sources| file once imported into git. But checking some of my packages, you are right that the "sources" file has md5 has. May be somebody could look into this as well. Vít [1] http://fedoraproject.org/wiki/Packaging:ReviewGuidelines ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: md5 vs sha256 in dist-git sources
On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote: > Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a): > > > On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote: > > >Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a): > > > So Ralph and I wrote summershum, it's a simple database storing for each > > > file in > > > each package: > > > - the packages name > > > - the filename > > > - the sha1sum of the file > > > - the tarball name > > > - the md5sum of the tarball > > > > > >I don't think we should use md5sum. It is disabled by default in recent > > >OpenSSL if I am not mistaken. > > That's what we use in the lookaside cache (the source file in your git) > > Interesting, since review guidelines [1] says this: > > MUST: The sources used to build the package must match the upstream > source, as provided in the spec URL. Reviewers should use sha256sum > for this task as it is used by the sources file once imported into > git. > > But checking some of my packages, you are right that the "sources" > file has md5 has. May be somebody could look into this as well. Afaik, the hashing mechanism to use is defined in the fedpkg configuration file: https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf So theoretically, you could change it locally, and the sources you upload would then have their sha256sum in the `sources` file. But then, people who would download them with `fedpkg sources` (that includes Koji builders) would receive error messages that the checksum does not match. So we would probably need to add a fallback mechanism in pyrpkg, so that if sha256 verification fails, then it would try md5. -- Mathieu ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: md5 vs sha256 in dist-git sources
Dne 12.2.2014 15:29, Mathieu Bridon napsal(a): > On Wed, 2014-02-12 at 13:44 +0100, Vít Ondruch wrote: >> Dne 12.2.2014 12:15, Pierre-Yves Chibon napsal(a): >> >>> On Wed, Feb 12, 2014 at 11:58:15AM +0100, Vít Ondruch wrote: Dne 12.2.2014 09:46, Pierre-Yves Chibon napsal(a): So Ralph and I wrote summershum, it's a simple database storing for each file in each package: - the packages name - the filename - the sha1sum of the file - the tarball name - the md5sum of the tarball I don't think we should use md5sum. It is disabled by default in recent OpenSSL if I am not mistaken. >>> That's what we use in the lookaside cache (the source file in your git) >> Interesting, since review guidelines [1] says this: >> >> MUST: The sources used to build the package must match the upstream >> source, as provided in the spec URL. Reviewers should use sha256sum >> for this task as it is used by the sources file once imported into >> git. >> >> But checking some of my packages, you are right that the "sources" >> file has md5 has. May be somebody could look into this as well. > > Afaik, the hashing mechanism to use is defined in the fedpkg > configuration file: > > https://git.fedorahosted.org/cgit/fedpkg.git/tree/src/fedpkg.conf > > So theoretically, you could change it locally, and the sources you > upload would then have their sha256sum in the `sources` file. > > But then, people who would download them with `fedpkg sources` (that > includes Koji builders) would receive error messages that the checksum > does not match. > > So we would probably need to add a fallback mechanism in pyrpkg, so that > if sha256 verification fails, then it would try md5. > > Looks to be sub-optimal so to say :) Vít ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: md5 vs sha256 in dist-git sources
There's a releng ticket (formerly infra) about moving away from md5 for this. https://fedorahosted.org/rel-eng/ticket/5846 I'm sure any offers of help would be welcome. :) kevin signature.asc Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: md5 vs sha256 in dist-git sources
On Wed, 2014-02-12 at 08:22 -0700, Kevin Fenzi wrote: > There's a releng ticket (formerly infra) about moving away from md5 for > this. > > https://fedorahosted.org/rel-eng/ticket/5846 > > I'm sure any offers of help would be welcome. :) Done. -- Mathieu ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
