Bug 477029 - Support sha256sums for file checksumming
Summary: Support sha256sums for file checksumming
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: createrepo
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Luke Macken
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: fedora-sha2 477030 480791
TreeView+ depends on / blocked
 
Reported: 2008-12-18 18:58 UTC by James Bowes
Modified: 2016-09-20 02:39 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-26 16:36:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description James Bowes 2008-12-18 18:58:41 UTC
We should support sha256 for checksums on both repodata files, and on the rpms themselves.

Comment 1 James Antill 2008-12-18 20:00:43 UTC
createrepo doesn't store the file checksums, so nothing needs to change here.

Comment 2 Miloslav Trmač 2009-01-20 15:57:10 UTC
repomd.xml can refer to other files using SHA-256 using the (deprecated) -s flag, but the package checksums (<package><checksum type="sha" pkgid="YES">..., <package pkgid="...">) are hard-coded to use SHA-1.

Because these checksums are used to verify authenticity of downloaded packages, they should be using SHA-256 as well.

The SHA-1 package checksums are hard-coded in yum.packages and createrepo.yumBased.

In addition, modifyrepo is hard-coded to use SHA-1 for added repodata files.

Comment 3 seth vidal 2009-01-26 16:36:42 UTC
This is now fixed in upstream createrepo:
http://createrepo.baseurl.org/gitweb?p=createrepo.git;a=commitdiff;h=3b43f1280d94776689816cf96c6cc8135726b240


Note You need to log in before you can comment on or make changes to this bug.