[Bitbake-dev] what's with the "md5sum" wget fetcher parameter?
rpurdie at rpsys.net
Mon Jan 18 12:28:34 CET 2010
On Mon, 2010-01-18 at 02:50 -0500, Robert P. J. Day wrote:
> ok, but this raises the question as to what the checksums are trying
> to protect against. if it's simple (accidental) download corruption,
> then an md5sum would be more than adequate. if it's spoofing or
> deliberate hacking and md5 is inadequate, why support md5 at all? why
> not just *exclusively* use sha256 and drop support for md5 altogether?
> or am i misunderstanding something here? perhaps i'll go off and
> read that entire thread beginning to end as soon as the coffee is
> ready. thanks.
I think the idea was to prevent any flaw in one of the algorithms being
exploited. Either checksum works as download corruption detection.
Just as a note about the future, I'd like to see bitbake support the md5
and sha256 parameters in urls the fetcher code directly itself and
automatically verify downloads. We're not quite there yet but its
planned. The code in OE is just stopgap until we get that sorted out.
More information about the bitbake-devel