`sources` file format and explanation

What are the sources files in src.fedoraproject.org repositories?

For example Tree - rpms/python-pip - src.fedoraproject.org

image

This looks like a checksum, but what kind of checksum and what for?

2 Likes

They are md5 checksums of the source files which are defined with Source* tags in the spec file. There are other packages (like dnf) which uses other algorithms instead of md5.

1 Like

But MD5 is not secure. It is possible to generate different .tar.gz with the same hash. Is the sources file the only security guarantee?

1 Like

In this case, the hash is just a key looking into the source code cache we control. So cryptographic security is not a primary concern here – someone would need to be a Fedora packager to upload the generated colliding tar.gz, and we’d see who did it.

But in fact, we’ve been using SHA512 for several years now – note that your link is to a pretty old fork. See the current https://src.fedoraproject.org/rpms/python-pip/blob/rawhide/f/sources:

2 Likes

By the way, you can use the fedpkg command-line tool to fetch sources from the cache.

1 Like