[Rpm-metadata] Createrepo sha1 hash problem
james at fedoraproject.org
Fri May 21 16:07:13 UTC 2010
On Thu, 2010-05-20 at 15:26 -0700, Joshua Bahnsen wrote:
> When createrepo 0.4.11 caches the SHA1 hash, it appears to store the
> SHA1 hash value in a file that looks like this:
> Unfortunately this isn't enough...
> Take for example these 2 files:
> All 4 items used to store the hash are exactly the same
> However the actual hash values of these 2 files are in fact different.
> I've traced this back to the GPG signature. You'll see they are signed
> with the same signature, however after removing the signature from
> both files we are left with 2 identical files, meaning the actual
> contents of the RPM are the same. If you dump the RPM header, you'll
> see the only difference is the GPG signature.
It might be worth fixing this in createrepo, _however_ I'd strongly
recommend not signing the same file twice ... and thus. generating an
extra download for all users/mirrors/etc.
More information about the Rpm-metadata