Re: [Yum-devel] [PATCH 2/2] Fix md5 == abort() code path, only generate/trust sha2+ for metalink=>repomd

Tue, 08 Dec 2009 08:24:51 -0800 


On Mon, 7 Dec 2009, James Antill wrote:


---
yum/metalink.py     |    1 +
yum/repoMDObject.py |    5 +++--
yum/yumRepo.py      |   12 +++---------
3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/yum/metalink.py b/yum/metalink.py
index c7f5f83..24da633 100755
--- a/yum/metalink.py
+++ b/yum/metalink.py
@@ -55,6 +55,7 @@ class MetaLinkFile:
    """ Parse the file metadata out of a metalink file. """

    def __init__(self, elem):
+        # We aren't "using" any of these, just storing them.
        chksums = set(["md5", 'sha1', 'sha256', 'sha512'])

        for celem in elem:
diff --git a/yum/repoMDObject.py b/yum/repoMDObject.py
index 9f70f1d..2931816 100755
--- a/yum/repoMDObject.py
+++ b/yum/repoMDObject.py
@@ -94,8 +94,9 @@ class RepoMD:
        else:
            # srcfile is a file object
            infile = srcfile
-
-        infile = AutoFileChecksums(infile, ['md5', 'sha1', 'sha256'],
+
+        # We trust any of these to mean the repomd.xml is valid.
+        infile = AutoFileChecksums(infile, ['sha256', 'sha512'],
                                   ignore_missing=True)
        parser = iterparse(infile)

diff --git a/yum/yumRepo.py b/yum/yumRepo.py
index 765a595..b97f05a 100644
--- a/yum/yumRepo.py
+++ b/yum/yumRepo.py
@@ -1145,22 +1145,16 @@ class YumRepository(Repository, config.RepoConf):
        if repoXML.length != repomd.size:
            return False

-        #  MirrorManager isn't generating sha256 yet, and we should probably
-        # not require all of the checksums we produce.
-        done = set()
        for checksum in repoXML.checksums:
            if checksum not in repomd.chksums:
                continue

            if repoXML.checksums[checksum] != repomd.chksums[checksum]:
                return False
-            done.add(checksum)

-        #  Only allow approved checksums, might want to not "approve" of
-        # sha1/md5
-        for checksum in ('sha512', 'sha256', 'sha1', 'md5'):
-            if checksum in done:
-                return True
+            #  If we don't trust the checksum, then don't generate it in
+            # repoMDObject().
+            return True

        return False



Not tested this yet - but does this implicitly mean we need to do a: 
Requires: python-hashlib if we want that version to be usable on python 
2.4?


-sv

_______________________________________________
Yum-devel mailing list
Yum-devel@lists.baseurl.org
http://lists.baseurl.org/mailman/listinfo/yum-devel






















					Reply via email to