[Fedora-packaging] Is md5sum compulsion in review instead sha1sum?

Ralf Corsepius rc040203 at freenet.de
Tue Oct 13 06:05:42 UTC 2009

On 10/13/2009 07:13 AM, Matthias Clasen wrote:
> On Tue, 2009-10-13 at 08:36 +0530, Parag N(पराग़) wrote:
>> Hi all,
>>     I want to know that is there really any compulsion on posting
>> md5sum instead sha1sum?  Review Guidelines said "Reviewers should use
>> md5sum for this task." I have started posting sha1sum for source in
>> package review.
> That part of the review guidelines has always struck me as bizarre.
> After all, wouldn't it seem even better to compare the actual tarballs
> with each other, byte-by-byte, than relying on a checksum ?

Well, this is only one part of the story.

You are right, to verify a submitted package's contents against 
"external sources" (e.g. upstream), md5sums don't provide more 
information than a "byte-by-byte" comparison would provide [1].

But there is another aspect: Fedora's applies md5sums as their checksums
for "binaries" in its CVS (cf. a file named "sources" in packages 
checked out from CVS).

I.e. to be able to verify whether the files from a "just imported 
*.src.rpm" matches with those inside of the *.src.rpm having been 
reviewed, a review would have to contain md5sums.

=> Unless CVS changes to apply sha1sums, sha1sums in reviews would void 
the latter point.


[1] In cases upstreams ship "detached md5sum files" (many upstreams do), 
it's common practice to consider a match between the md5sums from the 
upstream md5sum file and those generated from the files inside of an 
src.rpm to be sufficient. Whether md5sums are safe enough to justify 
this amount of trust, is a different issue.

More information about the Fedora-packaging mailing list