[Rpm-metadata] Createrepo sha1 hash problem

Joshua Bahnsen archrival at gmail.com
Fri May 21 18:18:38 UTC 2010


Looks like most of the work was already done for me as a variable key is
already defined with exactly what I was looking to do (although I can't see
where it is ever used). Doing something like the simple patch below should
resolve the problem. At least it solves mine.

--- dumpMetadata.py.orig        2010-05-21 10:42:47.000000000 -0700
+++ dumpMetadata.py     2010-05-21 11:16:13.000000000 -0700
@@ -610,9 +610,9 @@

         key = md5.new("".join(t)).hexdigest()

-        csumtag = '%s-%s-%s-%s' % (os.path.basename(self.relativepath),
+        csumtag = '%s-%s-%s-%s-%s' % (os.path.basename(self.relativepath),
                                    self.hdr[rpm.RPMTAG_SHA1HEADER],
-                                   self.size, self.mtime)
+                                   self.size, self.mtime, key)
         csumfile = '%s/%s' % (self.options['cachedir'], csumtag)
         if os.path.exists(csumfile) and self.mtime <= os.stat(csumfile)[8]:
             csumo = open(csumfile, 'r')


On Fri, May 21, 2010 at 10:03 AM, Joshua Bahnsen <archrival at gmail.com>wrote:

> I guess that's something I'd need to convince the CentOS people to fix. :)
>
>
> On Fri, May 21, 2010 at 9:07 AM, James Antill <james at fedoraproject.org>wrote:
>
>> On Thu, 2010-05-20 at 15:26 -0700, Joshua Bahnsen wrote:
>> > When createrepo 0.4.11 caches the SHA1 hash, it appears to store the
>> > SHA1 hash value in a file that looks like this:
>> >
>> >
>> > <filename>-<sha1header>-<filesize>-<mtime>
>> >
>> >
>> > Unfortunately this isn't enough...
>> >
>> >
>> > Take for example these 2 files:
>> >
>> http://msync.centos.org/centos/5.4/updates/x86_64/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
>> >
>> http://msync.centos.org/centos/5.4/updates/i386/RPMS/cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm
>> >
>> >
>> > All 4 items used to store the hash are exactly the same
>> >
>> cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm-9d85fb047de144d46c75159cc938b540298d626e-27426-1269710765
>> >
>> > However the actual hash values of these 2 files are in fact different.
>>
>> [...]
>>
>> > I've traced this back to the GPG signature. You'll see they are signed
>> > with the same signature, however after removing the signature from
>> > both files we are left with 2 identical files, meaning the actual
>> > contents of the RPM are the same. If you dump the RPM header, you'll
>> > see the only difference is the GPG signature.
>>
>>  It might be worth fixing this in createrepo, _however_ I'd strongly
>> recommend not signing the same file twice ... and thus. generating an
>> extra download for all users/mirrors/etc.
>>
>> _______________________________________________
>> Rpm-metadata mailing list
>> Rpm-metadata at lists.baseurl.org
>> http://lists.baseurl.org/mailman/listinfo/rpm-metadata
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/rpm-metadata/attachments/20100521/e8fcd40a/attachment.html>


More information about the Rpm-metadata mailing list