When 12.1 had problems with different versions of RPM’s in the mirror system I created a script to verify my local copy of the openSUSE repos. See the following:
https://bugzilla.novell.com/show_bug.cgi?id=742772
After I saw a large number of files download last week I ran my script and it reported a large number of files with bad checksums (4.8K in 12.2 OSS Updates, and 6.9K in 12.3 OSS Updtaes). NonOSS had around six in both 12.2 and 12.3, all flash. My script then uses aria 2c to download the correct version in the mirror system using the meta4 files. Arira2c was showing bad checksums and would take multiple downloads before it got the file which match the checksum in the meta4 file.
My script was showing that the checksums still did not match repodata. My first thought was that the 12.1 problem had returned, so I submitted a bug to openSUSE.
https://bugzilla.novell.com/show_bug.cgi?id=843679
After doing a lot of trouble shooting I found that the checksums in repodata for these files were a sha1 checksum and not a sha256.
It appears that the updates I have pending are all sha256 checksums, so I am not able to say if zypper is able to use both sha1 and sha256 checksums from repodata.
zcat repodata/e6e5447767638a711205003715bc4fa05c39b0489cfcfbbd0b8a37a47bfbfe06-filelists.xml.gz >>tmpFileList
for i in boost-license1_49_0 gpg2 icedtea-web libboost_program_options1_49_0 libboost_regex1_49_0 libboost_signals1_49_0 libboost_system1_49_0 libboost_thread1_49_0 libmysqlclient18 libmysqld18 libsnmp30 libtiff5 libtiff5-32bit libtiff-devel MozillaFirefox MozillaThunderbird mysql-community-server-client mysql-community-server-errormessages snmp-mibs timezone timezone-java vino; do echo -e "$i";grep $i tmpFileList|grep pkgid|grep -v src;done
I have not had an answer back from my bug report. I tried to send a email to mirror@opensuse.org list, but was denied. I sent and email to admin@opensuse.org asking why my email to mirror was denied when I used to be subscribed to the list, and I do not remember unsubscribing. I have not heard back from admin@opensuse.org.
From wiki for sha 1
SHA-1 - Wikipedia, the free encyclopedia
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use.[3] NIST required many applications in federal agencies to move to SHA-2 after 2010 because of the weakness.
Are the checksums supposed to be sha256?
Does zypper check other checksums if sha256 does not match repodata? If so, what other checksums will zypper and repodata use?
Thanks
Dave W
