Bug 490696

Summary: mirrormanager does not supply SHA-256 in metalink files
Product: [Fedora] Fedora Reporter: Miloslav Trmač <mitr>
Component: mirrormanagerAssignee: Matt Domsch <matt_domsch>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: anthonybryan, james.antill, jonstanley, matt_domsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-08 21:27:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 461972    

Description Miloslav Trmač 2009-03-17 17:03:38 UTC 
metalink files, which point to the (optionally signed) repomd files, only contain MD5 and SHA-1 hashes.  MD5 is quite weak and there has been some progress on weakening SHA-1, so the metalink files should contain a SHA-2 hash (probably SHA-256).
Comment 1 Matt Domsch 2009-03-17 18:10:50 UTC 
yep.  I started looking into this, and need to know which sha-256 python algorithm I can  use on python 2.4 (RHEL5) please.
Comment 2 Matt Domsch 2009-03-17 18:18:59 UTC 
This will require corresponding changes in yum.
Comment 3 James Antill 2009-03-17 18:24:46 UTC 
Oh, on RHEL-5 ... you need python-hashlib from EPEL to get anything other than md5 or sha1. So probably better stick to sha1 there.
Comment 4 Miloslav Trmač 2009-03-18 09:27:44 UTC 
python-hashlib is probably the best option - the program will naturally use the standard Python library on newer systems.

You can also use M2Crypto:
>>> d = M2Crypto.EVP.MessageDigest('sha256')
>>> d.update('abc')
>>> d.final()
'\xbax\x16\xbf\x8f\x01\xcf\xeaAA@\xde]\xae"#\xb0\x03a\xa3\x96\x17z\x9c\xb4\x10\xffa\xf2\x00\x15\xad'


AFAICS yum already supports SHA-256 in metalinks (YumRepository._checkRepoXMLMetalink), but I didn't test it.
Comment 5 Matt Domsch 2009-03-20 01:43:32 UTC 
Unfortunately, our Fedora Infrastructure servers are running RHEL5, which is where the MM code to generate SHA* values will be running.  Looks like EPEL 5 contains python-crypto, which has a SHA256 implementation.
Comment 6 Matt Domsch 2009-03-20 01:48:38 UTC 
ah, python-hashlib is in the fi-repo now.  skvidal noted on his blog that smooge may be adding it to EPEL but it's not there at the moment.

hashlib it is.
Comment 7 Matt Domsch 2009-03-20 01:52:25 UTC 
dgilmore put it into epel, it's in epel-testing now. whee.
Comment 8 Matt Domsch 2009-04-07 17:32:18 UTC 
mirrormanager-1.2.11, built in plague so will hit epel-testing soon, now returns sha256 and sha512 when available.
Comment 9 Matt Domsch 2009-05-08 21:27:19 UTC 
This is built and in production.