SHA1 and 256 (again) :)

Jesse Keating jkeating at
Thu Nov 19 17:43:44 UTC 2009

On Thu, 2009-11-19 at 06:09 +0530, Rahul Sundaram wrote:
> On 11/19/2009 06:04 AM, Ladislav Bodnar wrote:
> > On Thursday 19 November 2009, Rahul Sundaram wrote:
> >> Note that changing HASH: SHA1 to anything else in the top of the file
> >> will make the gpg check fail since it writes it out that way. So it's
> >> sort of a tricky issue to solve. Not sloppiness.
> > 
> > Maybe it would be simpler to call the file SHA256SUM (or SHA256) instead of 
> > CHECKSUM? As far as I remember, these files used to be called MD5SUM, then 
> > SHA1SUM, which made it very clear what was inside. But with so many 
> > different checksum standards, calling the file CHECKSUM is bound to lead to 
> > confusion.
> I think the generic name was picked up because nobody believes that
> SHA256 hashes are going to be cryptographically secure for a long time
> and we are bound to switch to stronger checksums over a period of time
> but I think, a clear filename does make it more easier to avoid this
> mass confusion. Jesse Keating?
> Rahul

Changing the filename each time was getting to be a hassle, so we named
the file generically.  This happened not only in pungi, but in many of
the other tools we had to update when moving from md5 or sha1 to sha256.
Since we know we'll have to do it again we've made that task easier next

The solution here is to put a blurb in the file itself about how to
verify it.  That is something I'm going to do, but by the time it was
suggested and I conceded that it was needed, we were past the feature
freeze and I was not going to introduce a feature in our compose tool at
that point.

Jesse Keating
Fedora -- Freedom² is a feature!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-test-list mailing list