Bug 515715
| Summary: | Checksum type not mentioned for Rawhide image releases | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> |
| Component: | distribution | Assignee: | David Cantrell <dcantrell> |
| Status: | CLOSED ERRATA | QA Contact: | Bill Nottingham <notting> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | dcantrell, d.yu.bolkhovityanov, get.sonic, M8R-7fin56, rvokal, stein, stephent98 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pungi-2.0.21-1.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-05-04 06:15:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kamil Páral
2009-08-05 13:22:41 UTC
Hello, the Fedora 12 (Alpha) ISO image checksum files contain the type of checksum now. However, the hint says: Hash: SHA1 while the checksum used seems to be SHA256 (like e.g. for Fedora 11 as linked from the original bug description). I have verified the following 2 files available from: http://download.fedoraproject.org/pub/fedora/linux/releases/test/12-Alpha/Fedora/i386/iso/ using sha256sum: 219778f65cb1f897f992d87715cbe83f17255fa184ef6e1571584b9bb9160521 Fedora-12-Alpha-i386-DVD.iso 06d33ed79091a19e1504233c79888966c569b8677d22d174ab5c403681090899 Fedora-12-Alpha-i386-netinst.iso and I expect the same applies to all other Fedora 12 ISO image checksums according e.g. to the length of the hash strings. This is due to a bug in our new signing server which is signing with sha1 instead of sha256. I'm working to fix that. Got bitten by this today (Fedora 12 Alpha DVD image). Had to search and read forum posts to figure out the sha256sum command. This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Unfortunately this problem appears even in final Fedora 12 release. In CHECKSUM files there is a line "Hash: SHA1" while all the hashes are SHA256 (tried for amd64). Changing the file names to "something.sha256" would be an easy fix ? Or adding text at the beginning of signed content, stating the following were sha256 hashes, would give enough warning. There are many people who redownloaded the images because of this hash issue. A few easy solutions would save everyone's time and bandwidth of users & mirrors. Yes, the CHECKSUM file content is totally misleading. The truth is: 1. .iso files are checksummed with SHA256. 2. "Hash: SHA1" applies to PGP signature. But: current situation is absolutely counter-intuitive. How can one deduce that algorythm is SHA256 instead of previously-familiar MD5 or SHA1? (Yes, that IS mentioned in https://fedoraproject.org/verify, but, honestly, how many people do know they have to read it?) Obviously there should be a comment about checksum type IN THE CHECKSUM FILE ITSELF. (And, even better, the file could mention the "sha256sum" command itself.) BTW, root of the problem is absence of type-tags in hashes. If md5sum/sha1sum/sha256sum utilities could prefixed the checksums with "md5:", "sha1:", "sha256:" etc., any possibilities for confusion will be eleminated entirely. I change the bug version back to rawhide. The same problem (unknown checksum type) applies also for F13 Alpha Test Compose: http://alt.fedoraproject.org/pub/alt/stage/13-Alpha.TC1/Fedora/x86_64/iso/ There are now two informative comments in the *-CHECKSUM files. # The image checksum(s) are generated with sha256sum. # The PGP checksum uses sha1sum. Thanks, Jesse! http://fedoraproject.org/get-prerelease?anF13a This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle. Changing version to '13'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping pungi-2.0.21-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13 pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pungi'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pungi-2.0.21-1.fc13 pungi-2.0.21-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |