[Fedora-packaging] Is md5sum compulsion in review instead sha1sum?

Jon Ciesla limb at jcomserv.net
Wed Oct 14 13:06:10 UTC 2009

Ralf Corsepius wrote:
> On 10/14/2009 09:55 AM, Nicolas Mailhot wrote:
>> Le Mer 14 octobre 2009 05:47, Chris Weyl a écrit :
>>> On Mon, Oct 12, 2009 at 10:13 PM, Matthias 
>>> Clasen<mclasen at redhat.com> wrote:
>>>> That part of the review guidelines has always struck me as bizarre.
>>>> After all, wouldn't it seem even better to compare the actual tarballs
>>>> with each other, byte-by-byte, than relying on a checksum ?
>>> Um. An easily reproducible, cryptographically strong checksum? :)
>> This is one test I never do, nothing will stop the packager from 
>> changing the
>> packaged archive as soon as the review is finished,
> ACK.
>> so the whole thing is a
>> major waste of time for everyone involved IMHO
> Agreed.
Sort of. I think of it as CYA for the reviewer. If something bad slips 
in, at least it's documented that it was good when I checked it, and the 
responsibility then falls on the packager.
>> (as is posting specs in
>> addition to SRPMs BTW.
> Not agreed. Many packaging issues can be easily be found in specs, 
> without downloading with the actual *.src.rpm.
True. I always wget both, install the SRPM and diff the specs, and ask 
about any differences if the packager goofed. Though I certainly see 
your point, especially for extremely large pacakges, like games with 
huge globs of data (i.e. wesnoth), etc.
> Ralf
> -- 
> Fedora-packaging mailing list
> Fedora-packaging at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-packaging

in your fear, seek only peace
in your fear, seek only love

-d. bowie

More information about the Fedora-packaging mailing list