rpm hashes

Panu Matilainen pmatilai at laiskiainen.org
Thu May 14 07:46:25 UTC 2009


On Wed, 13 May 2009, Adam Jackson wrote:

> On Wed, 2009-05-13 at 09:13 +0300, Panu Matilainen wrote:
>
>> From rpm POV it's perfectly legal for any number of packages to share
>> identical files, and that still works. What doesn't work is sharing files
>> between packages using different file hash algorithm, so if you need to
>> share across Centos >= 3 <-> Fedora >= 11 you need to build the package
>> for lowest common denominator, meaning md5 file hashes. Fedora 11 changes
>> the default algorithm from md5 to sha256 in redhat-rpm-config, producing
>> packages that are incompatible with rpm < 4.6.0 but specs and macro
>> configuration can override that.
>>
>> Whether it's against Fedora guidelines is another question, but since this
>> was about a package from a 3rd party repository...
>
> It would have been really, _really_ nice if sha256 was merely another
> hash that could be in the payload, instead of forcing you to pick one or
> the other.  For that matter, it would still be really really nice.

Could it have been done that way? Yes, and if it were just per-package 
hash then certainly it would've been done that way. But remember this is 
per-file data, storing two (and when the day comes when sha256 is 
considered insufficient, three etc) hashes per file adds a non-trivial 
amount of header bloat.

Having the md5 hashes too would've been nice for backwards compatibility 
but actually using them for file conflict calculations would mean (in 
addition to the header bloat):
- considerable increase in memory use
- falling back to md5 for conflict resolution would void the supposed
   extra security of the better hash

 	- Panu -




More information about the fedora-devel-list mailing list