[Pulp-dev] pulp 3 upload API validation

Sean Myers sean.myers at redhat.com
Mon Jul 10 19:37:59 UTC 2017

On 07/10/2017 03:06 PM, Dennis Kliban wrote:
> The upload API for Artifacts is going to allow users to specify the
> artifact size and a digest. The Artifact model currently supports  'md5',
> 'sha1', 'sha224', 'sha256', 'sha384', and 'sha512' digests.
> Do we want to let users specify more than one digest per upload? e.g. md5
> and sha256?
> Do we want to store all 6 digests for each Artifact?

My hasty thoughts behind those fields: On the upload, the hash is only useful
for verifying that the upload succeeded, so only one is necessary (but hey, the
paranoid can upload as many as they've got to guard against potential collisions
I guess). Once verified, pulp should generate all remaining hashes. A corollary
is that Pulp should never store a hash received from a user, or else pulp is
potentially storing corrupt data.

For fun, take a look at `hashlib.algorithms_guaranteed` in a python2
interpreter, and then compare it to the list of fields you've mentioned to see
where that list of hashes came from. Then look at the same thing in a python3,
and consider how to deal with that in the data model, particularly taking into
account the potential migration pain that comes with adding new supported hash
types as the number of artifacts increases.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20170710/94afec5e/attachment.sig>

More information about the Pulp-dev mailing list