Bug 834743

Summary: fedpkg is depending on md5, which is not allowed in fips mode
Product: [Fedora] Fedora Reporter: Paul Wouters <pwouters>
Component: fedpkgAssignee: cqi
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: cqi, dcantrell, kdudka, lsedlar, mcepl, mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-13 08:18:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Wouters 2012-06-23 05:08:22 UTC 
fedpkg won't work in fips mode because it checks the file download cheksums in the sources file using md5.

md5 is weak, and we should not trust it to verify network obtained files.

It would be good if we can migrate away from md5 in the sources file to sha1 or sha256. As this migration will probably take a while, due to packagers needing to update their sources files, it should start sooner rather then later.
Comment 1 Kamil Dudka 2012-08-28 12:41:54 UTC 
Is there any workaround for this bug?
Comment 2 Fedora Admin XMLRPC Client 2012-11-30 18:27:28 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora End Of Life 2013-04-03 14:32:24 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Dennis Gilmore 2013-12-16 00:20:48 UTC 
lookaside cache needs md5. right now it is absolutely required. we need to convert the whole lookaside cache to sha356sum to move off of needing md5
Comment 5 Jan Kurik 2015-07-15 15:07:14 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 6 Jan Kurik 2016-02-24 13:11:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 7 cqi 2016-08-23 08:00:58 UTC 
Is sha512sum okay?
Comment 8 Lubomír Sedlář 2016-12-13 08:18:26 UTC 
As of Dec 12 and fedpkg-1.26 newly uploaded sources will use SHA512.

https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016
Comment 9 Paul Wouters 2016-12-13 19:39:28 UTC 
awesome! Thanks!