lhotari commented on a change in pull request #11343:
URL: https://github.com/apache/pulsar/pull/11343#discussion_r672031881
##########
File path:
pulsar-common/src/main/java/org/apache/pulsar/common/nar/NarUnpacker.java
##########
@@ -136,27 +146,27 @@ private static void makeFile(final InputStream
inputStream, final File file) thr
}
/**
- * Calculates an md5 sum of the specified file.
+ * Calculates an sha256 sum of the specified file.
*
* @param file
- * to calculate the md5sum of
- * @return the md5sum bytes
+ * to calculate the sha256 of
+ * @return the sha256 bytes
* @throws IOException
* if cannot read file
*/
- private static byte[] calculateMd5sum(final File file) throws IOException {
+ private static byte[] calculateSha256Sum(final File file) throws
IOException {
Review comment:
> I would agree that it is outdated an insecure for use as a digital
signature but that is not really the use case here. SHA-256 is also a little
bit slower than MD5
That's true that using SHA-256 because of security isn't the main reason.
The performance isn't a real issue so I'm proposing that we do the switch from
MD5 -> SHA-256 since the code in this are is being modified.
> There is also backwards compatibility issues as we write the MD5 checksum
into file a "HASH_FILENAME" and use the checksum there to determine whether a
NAR has changed or not
The files are temporary files under /tmp/pulsar-nar directory. There's not
an actual backwards compatibility issue. The only problem it could cause is
unused temporary files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
