`sources` file format and explanation

abitrolly · September 4, 2021, 4:02am

What are the sources files in src.fedoraproject.org repositories?

For example Tree - rpms/python-pip - src.fedoraproject.org

This looks like a checksum, but what kind of checksum and what for?

ersen · September 4, 2021, 7:09am

They are md5 checksums of the source files which are defined with Source* tags in the spec file. There are other packages (like dnf) which uses other algorithms instead of md5.

abitrolly · September 4, 2021, 7:18am

But MD5 is not secure. It is possible to generate different .tar.gz with the same hash. Is the sources file the only security guarantee?

mattdm · September 4, 2021, 1:30pm

In this case, the hash is just a key looking into the source code cache we control. So cryptographic security is not a primary concern here – someone would need to be a Fedora packager to upload the generated colliding tar.gz, and we’d see who did it.

But in fact, we’ve been using SHA512 for several years now – note that your link is to a pretty old fork. See the current https://src.fedoraproject.org/rpms/python-pip/blob/rawhide/f/sources:

mattdm · September 4, 2021, 1:32pm

By the way, you can use the fedpkg command-line tool to fetch sources from the cache.

Topic		Replies	Views
Fedpkg, srpm and source file Ask Fedora rpm , packages , keepassxc	9	247	July 29, 2024
Fedpkg can't fetch source from spec file? Ask Fedora f35	4	1879	January 3, 2022
Fedora 36 open source, decompile, verification Ask Fedora f36 , security	8	916	June 17, 2022
Fedora provided source doesn't match upstream Ask Fedora f37 , python , packages	5	321	December 22, 2022
Where to find the checksum for Fedora 38 and some other questions Ask Fedora f38 , workstation	43	5047	May 15, 2023

`sources` file format and explanation

Related topics