On 8/27/18 4:02 PM, Luke Shumaker wrote:
From: Luke Shumaker <lukeshu@parabola.nu>
Commit 9cdfd187 introduced support for whirlpool checksums in v5.0.0. However, it was sloppy and missed several places where the list of checksums is used. So fix that. In several places, we can take advantage of the 'known_hash_algos' variable to simplify things a bit.
Commit 57770125 switched from using OpenSSL to GNU coreutils for doing the checksums in v5.1.0. This broke the whirlpool support, as coreutils does not implement a 'whirlpoolsum' program. So go back to using openssl for whirlpool sums only. --- I'm not particularly attached to whirlpool support, and if your reaction is "let's formally drop whirlpool", I wouldn't be upset by that.
A handful (15) of Parabola's PKGBUILDs use whirlpoolsums, which makes sense, because the author if the original whirlpoolsums commit is a Parabola contributor. But, if you want to drop whirlpool, I have no problem saying that those packages need to migrate to a different checksum algorithm at their next update. Huh, and we never documented that we supported it in the first place. :/
No wonder we didn't notice that this would break, and, equally, no wonder users didn't hit this in the 2.5 years since 5.0.0 was tagged... But, if we're going to support whirlpool then that means, going against the original intent of the patch which broke this, that we now need the openssl command-line tool even if built --with-crypto=nettle, because it doesn't look like nettle supports whirlpool any more than base64. -- Eli Schwartz Bug Wrangler and Trusted User