On Mon, 2010-01-18 at 02:50 -0500, Robert P. J. Day wrote: > ok, but this raises the question as to what the checksums are trying > to protect against. if it's simple (accidental) download corruption, > then an md5sum would be more than adequate. if it's spoofing or > deliberate hacking and md5 is inadequate, why support md5 at all? why > not just *exclusively* use sha256 and drop support for md5 altogether? > > or am i misunderstanding something here? perhaps i'll go off and > read that entire thread beginning to end as soon as the coffee is > ready. thanks.
I think the idea was to prevent any flaw in one of the algorithms being exploited. Either checksum works as download corruption detection. Just as a note about the future, I'd like to see bitbake support the md5 and sha256 parameters in urls the fetcher code directly itself and automatically verify downloads. We're not quite there yet but its planned. The code in OE is just stopgap until we get that sorted out. Cheers, Richard _______________________________________________ Bitbake-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/bitbake-dev
