[Yum-devel] [PATCH 2/2] Fix md5 == abort() code path, only generate/trust sha2+ for metalink=>repomd

James Antill james at and.org
Tue Dec 8 00:10:27 UTC 2009


---
 yum/metalink.py     |    1 +
 yum/repoMDObject.py |    5 +++--
 yum/yumRepo.py      |   12 +++---------
 3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/yum/metalink.py b/yum/metalink.py
index c7f5f83..24da633 100755
--- a/yum/metalink.py
+++ b/yum/metalink.py
@@ -55,6 +55,7 @@ class MetaLinkFile:
     """ Parse the file metadata out of a metalink file. """
 
     def __init__(self, elem):
+        # We aren't "using" any of these, just storing them.
         chksums = set(["md5", 'sha1', 'sha256', 'sha512'])
 
         for celem in elem:
diff --git a/yum/repoMDObject.py b/yum/repoMDObject.py
index 9f70f1d..2931816 100755
--- a/yum/repoMDObject.py
+++ b/yum/repoMDObject.py
@@ -94,8 +94,9 @@ class RepoMD:
         else:
             # srcfile is a file object
             infile = srcfile
-        
-        infile = AutoFileChecksums(infile, ['md5', 'sha1', 'sha256'],
+
+        # We trust any of these to mean the repomd.xml is valid.
+        infile = AutoFileChecksums(infile, ['sha256', 'sha512'],
                                    ignore_missing=True)
         parser = iterparse(infile)
         
diff --git a/yum/yumRepo.py b/yum/yumRepo.py
index 765a595..b97f05a 100644
--- a/yum/yumRepo.py
+++ b/yum/yumRepo.py
@@ -1145,22 +1145,16 @@ class YumRepository(Repository, config.RepoConf):
         if repoXML.length != repomd.size:
             return False
 
-        #  MirrorManager isn't generating sha256 yet, and we should probably
-        # not require all of the checksums we produce.
-        done = set()
         for checksum in repoXML.checksums:
             if checksum not in repomd.chksums:
                 continue
 
             if repoXML.checksums[checksum] != repomd.chksums[checksum]:
                 return False
-            done.add(checksum)
 
-        #  Only allow approved checksums, might want to not "approve" of
-        # sha1/md5
-        for checksum in ('sha512', 'sha256', 'sha1', 'md5'):
-            if checksum in done:
-                return True
+            #  If we don't trust the checksum, then don't generate it in
+            # repoMDObject().
+            return True
 
         return False
 
-- 
1.6.5.2



More information about the Yum-devel mailing list