| Summary: | please update Isodumper to check sha3 as sha1 has been obsoleted | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Ben McMonagle <westel> |
| Component: | RPM Packages | Assignee: | Mageia tools maintainers <mageiatools> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, mageia, marja11, yvesbrungard |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO | ||
| Source RPM: | isodumper | CVE: | |
| Status comment: | |||
|
Description
Ben McMonagle
2019-03-30 01:21:07 CET
I can't find anything about "checksum" or "sha3" in isodumper's git log, so assuming this needs to be fixed in cauldron, too. Source RPM:
(none) =>
isodumper This isn't quite right - it's the sha1 sum that's been obsoleted, not the sha512 sum.
> The sha512 sum check is OK but the signature can't be found.
This is warning that the GPG signature is missing. The GPG signature is only added when the ISOs are publicly released.CC:
(none) =>
mageia Hello,
With accurate reading, this is only signature file which is lacking. The sum has been calculated and checked:
> The sha512 sum check is OK
The tradition is to sign only released ISO, which is not yet the case for beta3.
Isodumper uses hashlib to calculate the sum. The documentation reports that sha3 sums are available since Python 3.6, however Mageia 6 runs with Python 3.5 only.
I presume this will be not be easily fixed for sha3 sum.
Thus we will have to use another sum to check. Which ones are provided ? md5 ?
In the same time, I don't found the command in bash to check the sha3 sum.
In Mageia 6, I found:
sha
sha1sum sha256sum sha512sum
sha224sum sha384sum
What is the command?
(In reply to Martin Whitaker from comment #2) > > The GPG signature is only > added when the ISOs are publicly released. Is there a reason not to do this for ISOs not yet released? We have also to adapt our documentation and website for the next release. What is the new policy, thus? It isn't currently available in Mageia 6. It can be used by installing the Mageia 7 rpm packages for now (in a Mageia 6 system) ... sha3sum-1.1.5-1.mga7 lib64keccak1-1.2-1.mga7 Changing isodumper to support sha3sums will require adding those packages to Mageia 6. While the packages would be an addition for the stable release, that addition would fit into our exceptions as it's required for the bugfix update to isodumper. My guess as to why they are not generated for iso images prior to release is that someone has to ssh into rabbit to enter the gpg passphrase manually. CC:
(none) =>
davidwhodgins (In reply to Martin Whitaker from comment #2) > This isn't quite right - it's the sha1 sum that's been obsoleted, not the > sha512 sum. > Ah, good, I was worrying that I had missed something. Adjusting the summary. Summary:
please update Isodumper to check sha3 as sha512 has been obseleted =>
please update Isodumper to check sha3 as sha1 has been obsoleted As DavidWH said on the ML earlier this week, the check needs package sha3sum (urpmi finds it). This includes commands: sha3-224sum, sha3-256sum, sha3-384sum and sha3-512sum Fixed with IsoDumper 1.17 release. Resolution:
(none) =>
FIXED |