Comments (12)
@kontura I know you didn't want to go quite this far but I thought there was going to be some functionality deprecated with warnings?
from createrepo_c.
Unfortunately I didn't find the time to do any additional work on createrepo_c
and we needed to get the other changes released at least a bit in advance in case there are some problems.
Therefore this was postponed.
from createrepo_c.
We should still be able to use sha1 for people who need to (re)publish repos for systems that don't support it. RHEL 5 and older can't handle SHA256.
from createrepo_c.
We should still be able to use sha1 for people who need to (re)publish repos for systems that don't support it. RHEL 5 and older can't handle SHA256.
To be clear I'm not suggesting that we remove support for parsing them, we could even probably make --update
continue to work.
But also the current idea was just to deprecate them with warnings, and remove them in some future version probably at least 2 years away. So even if support was removed entirely, it kinda feels like a reasonable cutoff given we're talking about EL5?
from createrepo_c.
Separate topic: while there isn't anything technically "wrong" with sha384
and sha512
, nobody really uses them. I don't know that we would want to remove them any time soon (since in case sha256
is ever broken, a fallback is needed), but I don't suppose we could discourage them for current use in favor of adopting sha3
or blake3
(which obviously would require some additional ecosystem work to widely support)?
from createrepo_c.
Maybe we should upgrade the default hashes for 1.0? We already use SHA-512 in a bunch of other places for similar reasons. Can we use SHA3 or BLAKE3 with FIPS?
from createrepo_c.
Well, technically 1.0 is already out, as of the other week... I'd rather not see sha512
be the default purely on the basis of being twice as long without any structural benefits over sha256
otherwise. Especially now that "filelists_ext" with checksums exists.
I believe FIPS permits SHA-3. I don't think any members of the BLAKE family are on the list, though, or SHA-3 derivatives like K12. Which is a bit of a shame.
from createrepo_c.
If it permits SHA-3 and the RPM+DNF infrastructure can handle it, then we could shift to that.
from createrepo_c.
and the RPM+DNF infrastructure can handle it
I haven't checked but I don't think it does, support would need to be added.
edit: nope, not supported. https://github.com/openSUSE/libsolv/blob/86717630b78f015ed3e0d41aa299cdde532b9c6f/src/chksum.c#L122-L139
I just think it's probably a good time to start thinking about that future, anyway.
My only gripe with SHA-3 is that it was massively overbuilt and is therefore pretty slow compared to everything else, without hardware acceleration, which we probably won't see for 15 years.
But it's in FIPS so we probably ought to support it whether or not we also consider BLAKE3.
from createrepo_c.
@DemiMarie, what do you think about the above discussion? Would it be worthwhile to start thinking about adopting SHA-3 and/or BLAKE(3|2b|2s) as an alternate checksum type for metadata (createrepo_c & libsolv & dnf) and possibly RPMs?
from createrepo_c.
@dralley Security-wise, SHA3 and Blake2b are equivalent to SHA-512, and Blake3 and Blake2s are equivalent to SHA-256. Blake3 has some performance advantage but I am not sure if that matters for your use-case.
from createrepo_c.
sha1:
-
https://releases.jfrog.io/artifactory/artifactory-pro-rpms/repodata/repomd.xml
-
https://packages.gitlab.com/runner/gitlab-runner/el/9/x86_64/repodata/repomd.xml
-
https://rpm.releases.hashicorp.com/RHEL/9/x86_64/stable/repodata/repomd.xml
-
https://yum.puppetlabs.com/puppet/el/9/x86_64/repodata/repomd.xml
from createrepo_c.
Related Issues (20)
- [FIX] Build from 'master' branch is broken HOT 3
- `_XOPEN_SOURCE` define in `src/misc.c` seems extraneous
- Drop `--database` and `--no-database`, split?/drop `sqliterepo_c` HOT 5
- Sending SIGTERM to "createrepo_c --workers 2" sometimes leads to a crash HOT 6
- `--pkglist` can't be used with non-regular files
- Parsing primary.xml error: Start tag expected, '<' not found HOT 4
- heap buffer overflow and stack buffer overflow in test suite HOT 3
- Intermittent crash in `ci-dnf-stack/dnf-behave-tests/createrepo_c/zchunk.feature` HOT 2
- Python bindings fail to add the default version for sqlite records
- Has `--deltas` option been removed? HOT 9
- Brainstorm ways to shrink RPM metadata HOT 5
- Fix the building process to drop documentation for disabled features
- Newer createrepo_c doesn't generate comps readable EL7 HOT 27
- sqlite3_enable_shared_cache HOT 1
- `modifyrepo_c` and `mergerepo_c` generate `--no-pretty` metadata by default
- createrepo_c zstd compression doesn't fill in the content size, in the frame header. Python API problems. HOT 4
- Allow parsing packages metadata without filelists HOT 2
- cr_xml_dump_int() should point to a forbidden character HOT 2
- how does src rpm by pass sub packages in conditons HOT 2
- Removing older versions from the repo. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from createrepo_c.