[Pulp-list] syncing old repos with sha1 checksums

[Mike McCune]

We got this bug in Katello:

https://bugzilla.redhat.com/show_bug.cgi?id=855146

that describes an issue we are having trying to remove packages from 
existing repos.  We call pulp's 
/pulp/api/services/disassociate/packages/ API call which searches for 
packages by filename and sha.  The issue came from the old repository 
metadata from this virtualbox repo that Corey synced:

http://download.virtualbox.org/virtualbox/rpm/fedora/17/x86_64/

the RPM metadata in the above location are still checksummed with a sha1 
signature vs sha256.  The issue comes down to the pulp code in v1:

https://bugzilla.redhat.com/show_bug.cgi?id=855146#c7

here in pulp/server/api/repo.py:

     def _translate_filename_checksum_pairs(self, pkg_infos):
         """
         Translates a list of filename/checksum structures to a list of 
package ids.
         @param pkg_infos: format is [((filename, checksum), [repoids])]
         @return:    {'repo_id':[pkgids]}, {errors}
         """
         start_translate = time.time()
         p_col = model.Package.get_collection()
         repo_pkgs = {}
         errors = {}
         for item in pkg_infos:
             filename = item[0][0]
             checksum = item[0][1]
             repos = item[1]
             found = p_col.find_one({"filename":filename, 
"checksum.sha256":checksum}, {"id":1})

you can see it will never find the packages with metadata signed with 
checksum.sha... is this fixed in V2?

-- 
Mike McCune
mmccune AT redhat.com
Red Hat Engineering       | Portland, OR
Systems Management        | 650-254-4248