Bug 490696 - mirrormanager does not supply SHA-256 in metalink files
mirrormanager does not supply SHA-256 in metalink files
Product: Fedora
Classification: Fedora
Component: mirrormanager (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Matt Domsch
Fedora Extras Quality Assurance
Depends On:
Blocks: fedora-sha2
  Show dependency treegraph
Reported: 2009-03-17 13:03 EDT by Miloslav Trmač
Modified: 2009-05-08 17:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-08 17:27:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmač 2009-03-17 13:03:38 EDT
metalink files, which point to the (optionally signed) repomd files, only contain MD5 and SHA-1 hashes.  MD5 is quite weak and there has been some progress on weakening SHA-1, so the metalink files should contain a SHA-2 hash (probably SHA-256).
Comment 1 Matt Domsch 2009-03-17 14:10:50 EDT
yep.  I started looking into this, and need to know which sha-256 python algorithm I can  use on python 2.4 (RHEL5) please.
Comment 2 Matt Domsch 2009-03-17 14:18:59 EDT
This will require corresponding changes in yum.
Comment 3 James Antill 2009-03-17 14:24:46 EDT
Oh, on RHEL-5 ... you need python-hashlib from EPEL to get anything other than md5 or sha1. So probably better stick to sha1 there.
Comment 4 Miloslav Trmač 2009-03-18 05:27:44 EDT
python-hashlib is probably the best option - the program will naturally use the standard Python library on newer systems.

You can also use M2Crypto:
>>> d = M2Crypto.EVP.MessageDigest('sha256')
>>> d.update('abc')
>>> d.final()

AFAICS yum already supports SHA-256 in metalinks (YumRepository._checkRepoXMLMetalink), but I didn't test it.
Comment 5 Matt Domsch 2009-03-19 21:43:32 EDT
Unfortunately, our Fedora Infrastructure servers are running RHEL5, which is where the MM code to generate SHA* values will be running.  Looks like EPEL 5 contains python-crypto, which has a SHA256 implementation.
Comment 6 Matt Domsch 2009-03-19 21:48:38 EDT
ah, python-hashlib is in the fi-repo now.  skvidal noted on his blog that smooge may be adding it to EPEL but it's not there at the moment.

hashlib it is.
Comment 7 Matt Domsch 2009-03-19 21:52:25 EDT
dgilmore put it into epel, it's in epel-testing now. whee.
Comment 8 Matt Domsch 2009-04-07 13:32:18 EDT
mirrormanager-1.2.11, built in plague so will hit epel-testing soon, now returns sha256 and sha512 when available.
Comment 9 Matt Domsch 2009-05-08 17:27:19 EDT
This is built and in production.

Note You need to log in before you can comment on or make changes to this bug.