On Wed, 2015-12-30 at 20:09 +0100, Pierre-Yves Chibon wrote: > On Wed, Dec 30, 2015 at 07:38:35PM +0100, Björn Persson wrote: > > But still, why are we still using MD5? > > For the record bochecha has been leading the move away from md5 to > sha, making the changes in such a way that it will give us the > flexibility to later change from sha1 to sha256, sha512 or something > else. > > The problem being that there are quite a number of places to change > (dist-git, fedpkg...) which all have different upstreams and release > cycles. > So all in all, it's in progress but takes some time.
That's not the problem any more. All those places have been changed, and should all be ready for the switch now. However, switching means breaking old fedpkg clients: people would have to update their fedpkg as once we switch the old (i.e current) version would fail to be able to handle anything non-md5. The Fedora Releng team decided not to do that breakage at the moment, and instead bundle it with other changes requiring a breakage, so that we break things only once rather than several times. -- Mathieu -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
