Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
  • From: Pascal Bleser <pascal.bleser@xxxxxxxxxxxx>
  • Date: Tue, 17 Jul 2012 17:38:12 +0200
  • Message-id: <20120717153812.GF5757@hera>
On 2012-07-17 17:31:40 (+0200), Marcus Hüwe <suse-tux@xxxxxx> wrote:
Hi,

some days ago darix and I had a small discussion about verifying the
integrity of the downloaded packages which are used for local builds.
The idea is that we add a checksum for each package to the buildinfo
xml so that a client/osc can "easily" check if the downloaded file is
corrupted.
For instance we could add the hdrmd5 to buildinfo (this would require
only a small change in the backend) or alternatively we add the md5
of the whole package to the buildinfo (this would probably require
a bigger change in the backend). The advantage of the latter is that
it is much easier to verify for the client (but then I don't think
there are many clients which deal with the buildinfo at all...).

Any opinions?:)

(don't use MD5, it's insecure and can relatively easily be
hacked with collisions, use SHA instead ;))

cheers
--
-o) Pascal Bleser
/\\ http://opensuse.org -- we haz green
_\_v http://fosdem.org -- we haz conf
< Previous Next >
Follow Ups
References