[Yum-devel] [PATCH 2/2] Fix md5 == abort() code path, only generate/trust sha2+ for metalink=>repomd
Seth Vidal
skvidal at fedoraproject.org
Tue Dec 8 16:24:10 UTC 2009
On Mon, 7 Dec 2009, James Antill wrote:
> ---
> yum/metalink.py | 1 +
> yum/repoMDObject.py | 5 +++--
> yum/yumRepo.py | 12 +++---------
> 3 files changed, 7 insertions(+), 11 deletions(-)
>
> diff --git a/yum/metalink.py b/yum/metalink.py
> index c7f5f83..24da633 100755
> --- a/yum/metalink.py
> +++ b/yum/metalink.py
> @@ -55,6 +55,7 @@ class MetaLinkFile:
> """ Parse the file metadata out of a metalink file. """
>
> def __init__(self, elem):
> + # We aren't "using" any of these, just storing them.
> chksums = set(["md5", 'sha1', 'sha256', 'sha512'])
>
> for celem in elem:
> diff --git a/yum/repoMDObject.py b/yum/repoMDObject.py
> index 9f70f1d..2931816 100755
> --- a/yum/repoMDObject.py
> +++ b/yum/repoMDObject.py
> @@ -94,8 +94,9 @@ class RepoMD:
> else:
> # srcfile is a file object
> infile = srcfile
> -
> - infile = AutoFileChecksums(infile, ['md5', 'sha1', 'sha256'],
> +
> + # We trust any of these to mean the repomd.xml is valid.
> + infile = AutoFileChecksums(infile, ['sha256', 'sha512'],
> ignore_missing=True)
> parser = iterparse(infile)
>
> diff --git a/yum/yumRepo.py b/yum/yumRepo.py
> index 765a595..b97f05a 100644
> --- a/yum/yumRepo.py
> +++ b/yum/yumRepo.py
> @@ -1145,22 +1145,16 @@ class YumRepository(Repository, config.RepoConf):
> if repoXML.length != repomd.size:
> return False
>
> - # MirrorManager isn't generating sha256 yet, and we should probably
> - # not require all of the checksums we produce.
> - done = set()
> for checksum in repoXML.checksums:
> if checksum not in repomd.chksums:
> continue
>
> if repoXML.checksums[checksum] != repomd.chksums[checksum]:
> return False
> - done.add(checksum)
>
> - # Only allow approved checksums, might want to not "approve" of
> - # sha1/md5
> - for checksum in ('sha512', 'sha256', 'sha1', 'md5'):
> - if checksum in done:
> - return True
> + # If we don't trust the checksum, then don't generate it in
> + # repoMDObject().
> + return True
>
> return False
Not tested this yet - but does this implicitly mean we need to do a:
Requires: python-hashlib if we want that version to be usable on python
2.4?
-sv
More information about the Yum-devel
mailing list