[Rpm-metadata] Createrepo sha1 hash problem
Joshua Bahnsen
archrival at gmail.com
Fri May 21 17:03:40 UTC 2010
I guess that's something I'd need to convince the CentOS people to fix. :)
On Fri, May 21, 2010 at 9:07 AM, James Antill <james at fedoraproject.org>wrote:
> On Thu, 2010-05-20 at 15:26 -0700, Joshua Bahnsen wrote:
> > When createrepo 0.4.11 caches the SHA1 hash, it appears to store the
> > SHA1 hash value in a file that looks like this:
> >
> >
> > <filename>-<sha1header>-<filesize>-<mtime>
> >
> >
> > Unfortunately this isn't enough...
> >
> >
> > Take for example these 2 files:
> >
> http://msync.centos.org/centos/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
> >
> http://msync.centos.org/centos/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
> >
> >
> > All 4 items used to store the hash are exactly the same
> >
> cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm-9d85fb047de144d46c75159cc938b540298d626e-27426-1269710765
> >
> > However the actual hash values of these 2 files are in fact different.
>
> [...]
>
> > I've traced this back to the GPG signature. You'll see they are signed
> > with the same signature, however after removing the signature from
> > both files we are left with 2 identical files, meaning the actual
> > contents of the RPM are the same. If you dump the RPM header, you'll
> > see the only difference is the GPG signature.
>
> It might be worth fixing this in createrepo, _however_ I'd strongly
> recommend not signing the same file twice ... and thus. generating an
> extra download for all users/mirrors/etc.
>
> _______________________________________________
> Rpm-metadata mailing list
> Rpm-metadata at lists.baseurl.org
> http://lists.baseurl.org/mailman/listinfo/rpm-metadata
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/rpm-metadata/attachments/20100521/5f3430d7/attachment.html>
More information about the Rpm-metadata
mailing list