Important: Createrepo_c 0.2.0 and SHA checksum
by Tomas Mlcoch
Hi all,
I would like to inform you about a bug in Createrepo_c 0.2.0 that may affect you.
The highly re-factored createrepo_c 0.2.0 brought a bug in checksumming.
New fixed version of createrepo_c (version 0.2.1) has been already released.
About the bug:
--------------
Createrepo_c version >= 0.2.0 uses a OpenSSL library to compute checksums instead of GLib2 (because GLib2 doesn't support SHA512 until v2.36).
During refactoring of the checksum createrepo_c module, I missed that the classical createrepo uses the SHA1 algorithm for both "sha" and "sha1" checksuming operations.
Instead I used OpenSSL EVP_sha (aka SHA0) for "sha" checksum and EVP_sha1 for "sha1" checksum, what most of the tools for manipulation with repodata probably doesn't expect.
Affected users:
---------------
Everyone who used createrepo_c v0.2.0 with --checksum="sha" (everyone who used --checksum="sha1" is fine)
Please switch to the createrepo_c v0.2.1 which uses SHA1 algorithm for "sha" exactly as creterepo.
Updates will be pushed to the fedora updates soon:
https://admin.fedoraproject.org/updates/createrepo_c-0.2.1-1.el6
https://admin.fedoraproject.org/updates/createrepo_c-0.2.1-1.fc19
https://admin.fedoraproject.org/updates/createrepo_c-0.2.1-1.fc18
I am sorry for any inconvenience.
Regards
Tomas
10 years, 8 months