[gentoo-dev] SHA256 digest issues

[gentoo-dev] SHA256 digest issues

[Marien Zwart]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

As reported in bug 131293 a pycrypto bug caused a lot of digest and
Manifest files to be created with bogus sha256 hashes. A fixed
pycrypto (2.0.1-r5) was committed to the tree. This means the
following:

- If you run ~arch portage and the latest pycrypto you will hit digest
  failures. You will hit fewer digest failures as packages are fixed.
- If you run ~arch portage and do not upgrade pycrypto you will hit
  more and more digest issues as stuff is fixed.
- If you run stable portage you are not affected.

If you commit to the tree with an unfixed pycrypto you can add new
broken digests, so please do not do that.

We (portage project) are fixing known broken Manifests/digests. If you
come across any broken SHA256 digests feel free to fix them though:
the package is basically unusable with ~arch portage until it is
fixed, and fixing it twice does not really hurt :)

Apologies for the inconvenience.

-- 
Marien.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] SHA256 digest issues

[Ciaran McCreesh]

On Thu, 27 Apr 2006 12:50:02 +0200 Marien Zwart <marienz@gentoo.org>
wrote:
| We (portage project) are fixing known broken Manifests/digests. If you
| come across any broken SHA256 digests feel free to fix them though:
| the package is basically unusable with ~arch portage until it is
| fixed, and fixing it twice does not really hurt :)

If you're looking to avoid downloading too much... All source tarballs
whose file size (mod 64) is 55 are the ones affected, which would
suggest that somewhere very roughly in the region of one package in
sixty four with SHA256 digests is h0rked.

There's a good testsuite which would have caught this at [1].

[1]: http://csrc.nist.gov/cryptval/shs.htm

-- 
Ciaran McCreesh
Mail            : ciaran dot mccreesh at blueyonder.co.uk


-- 
gentoo-dev@gentoo.org mailing list