metalink files, which point to the (optionally signed) repomd files, only contain MD5 and SHA-1 hashes. MD5 is quite weak and there has been some progress on weakening SHA-1, so the metalink files should contain a SHA-2 hash (probably SHA-256).
yep. I started looking into this, and need to know which sha-256 python algorithm I can use on python 2.4 (RHEL5) please.
This will require corresponding changes in yum.
Oh, on RHEL-5 ... you need python-hashlib from EPEL to get anything other than md5 or sha1. So probably better stick to sha1 there.
python-hashlib is probably the best option - the program will naturally use the standard Python library on newer systems. You can also use M2Crypto: >>> d = M2Crypto.EVP.MessageDigest('sha256') >>> d.update('abc') >>> d.final() '\xbax\x16\xbf\x8f\x01\xcf\xeaAA@\xde]\xae"#\xb0\x03a\xa3\x96\x17z\x9c\xb4\x10\xffa\xf2\x00\x15\xad' AFAICS yum already supports SHA-256 in metalinks (YumRepository._checkRepoXMLMetalink), but I didn't test it.
Unfortunately, our Fedora Infrastructure servers are running RHEL5, which is where the MM code to generate SHA* values will be running. Looks like EPEL 5 contains python-crypto, which has a SHA256 implementation.
ah, python-hashlib is in the fi-repo now. skvidal noted on his blog that smooge may be adding it to EPEL but it's not there at the moment. hashlib it is.
dgilmore put it into epel, it's in epel-testing now. whee.
mirrormanager-1.2.11, built in plague so will hit epel-testing soon, now returns sha256 and sha512 when available.
This is built and in production.