On 04/19/2012 12:37 PM, Dan Anderson wrote:
Hash Algorithm Problem with Userland Makefiles
--------------------------------------------------------------
BTW, I noticed all (or most) Userland files user sha1. For example:
zsh/Makefile:COMPONENT_ARCHIVE_HASH=
sha1:8fd7a6d841770c8b12cf3ae8229dd857ecdbad93
The sha1 hash algorithm is broken and it's use requires exemption by
Oracle. I suggest using sha256. It works for me when I tried it. For
example:
trousers/Makefile: COMPONENT_ARCHIVE_HASH=
sha256:b811da338cbe48a3735d5e7c25a9e31760ea49697f2f20a05124561430d36016
- Dan
I assume that you mean that the sha1 has algorithm has a much greater
possibility of producing collisions. The userland-fetch interface
indended for folks to be able to make use of other and better hash
algorithms as needed. That is why the hash is specifed
{algorithm}:{value} in the Makefiles. Our current use of a hash value
is to provide us with some level of comfort that we have downloaded the
software we expected. We actually download from an internal cache of
source archives or our own external cache prior to going to the
community download site for the archive. While I don't believe that our
current use of sha1 hashes in our Makefiles constitutes any significant
risk, it's probably good advice to start having new integrations switch
to a different hash algorithm as we intended to be able to do. We will
take this up at our next C-team meeting.
Thanks,
-Norm
_______________________________________________
userland-discuss mailing list
userland-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/userland-discuss
