Deltarpm *not* ready for new RPM checksums (was Re: Ready for new RPM version?)

Axel Thimm Axel.Thimm at
Sat Apr 18 13:58:16 UTC 2009

On Tue, Mar 10, 2009 at 07:52:32PM +0200, Jonathan Dieter wrote:
> On Tue, 2009-03-10 at 19:41 +0200, Jonathan Dieter wrote:
> > Ok, I've been trying this, but how can we tell if the sequence is sha256
> > or md5 if we're *just* given the sequence (i.e. applydeltarpm -c -s
> > audit-libs-1.7.12-1.fc11-04548395de7d18795d88b32ea98897e90140 where it's
> > a sha256 sequence)?
> Ok, I've got it.  We just check against md5 first, then sha256 if md5
> doesn't match.  It's not elegant, but it should work fine, especially
> since we're only checking for verification, *not* security.
> Jonathan

Sorry for jumping in that late, but assuming a malicious deltarpm that
could fake a matching md5 sum to pass validation, wouldn't it get
applied and make that a security issue?
Axel.Thimm at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the fedora-devel-list mailing list