[Yum] PATCH: handle more checksum in repomd file

Miroslav Suchý msuchy at redhat.com
Tue Jun 30 09:38:15 UTC 2009


Seth Vidal wrote:
> 
> 
> On Mon, 29 Jun 2009, Miroslav Suchý wrote:
> 
>> So back to your questions:
>> Yes I have systems which cannot read both types of checksums from 
>> single repo.
>> And I cannot use "createrepo -s sha", because we do not use createrepo 
>> at all (since we can not). And second - we would like to use sha256 if 
>> possible since it is now proffered way in Fedora.
>>
> 
> 
> 1. you most certain can (and should) use createrepo - or at least its 
> libs.
Nope. It is slow for us. Spacewalk store metadata to db and generating 
repodata from db is much much faster then reading from rpm files on disk.
An library? Maybe modifyrepo.py can be usefull for us. Other probably 
not (judging from quick look). Not mentioning that repomd code is now in 
java in Spacewalk.

> Spacewalk and rhn having its own repodata generating tool has 
> always been incorrect in my opinion. It duplicates effort needlessly and 
> it means spacewalk (and rhn) always lag behind createrepo badly.

I disagree. Spacewalk focus on something different then createrepo.

> 2. and why isn't -s sha seen as the 'backwards compatible' checksum type 
> and sha256 as the forward going checksum type?

Probability of collision in SHA1 in attack has been reduced to 2^52. So 
we would like to move to SHA256 and following Fedora. If we would like 
to be 'backwards compatible', yeah - we can use sha1 or md5. But we 
would like to have sha256 to follow Fedora. It is the same as if you ask 
if Fedora can stay on SHA1 to be  'backwards compatible'.

>> Benefit for yum...? Well it comes down to question - are more 
>> checksums allowed in repomd.xml? If yes - then yum just pickup last 
>> checksum now instead of preferred, if no - then yum should warn about 
>> wrong format. I think the first is correct behavior.
>> BTW - Do you know where is definition of repodata files (repomd.xml, 
>> primary.xml...)? I could not find DTD file, nor any other 
>> documentation of the format.
> 
> So, my problem is there is no explicit provision for the data in 
> repomd.xml to have multiple checksums. Therefore, if we start doing this 
> we run the risk of breaking any of the non-yum depsolvers.
Which non-yum depsolvers?
And this brings me back to my question - do we have documentation of the 
format of these files? if the structure will be well documented then we 
should not care about other programs (including Spacewalk). Program 
either comply with documentation or not.
But only documentation I find is yum code itself.

-- 
Miroslav Suchy
Red Hat Satellite Engineering


More information about the Yum mailing list