[pacman-dev] [PATCH] makepkg: Fix whirlpoolsums support

[Eli Schwartz]

On 8/27/18 4:02 PM, Luke Shumaker wrote:
> From: Luke Shumaker <lukeshu at parabola.nu>
> 
> Commit 9cdfd187 introduced support for whirlpool checksums in v5.0.0.
> However, it was sloppy and missed several places where the list of
> checksums is used.  So fix that.  In several places, we can take advantage
> of the 'known_hash_algos' variable to simplify things a bit.
> 
> Commit 57770125 switched from using OpenSSL to GNU coreutils for doing the
> checksums in v5.1.0.  This broke the whirlpool support, as coreutils does
> not implement a 'whirlpoolsum' program.  So go back to using openssl for
> whirlpool sums only.
> ---
> I'm not particularly attached to whirlpool support, and if your
> reaction is "let's formally drop whirlpool", I wouldn't be upset by
> that.
> 
> A handful (15) of Parabola's PKGBUILDs use whirlpoolsums, which makes
> sense, because the author if the original whirlpoolsums commit is a
> Parabola contributor.  But, if you want to drop whirlpool, I have no
> problem saying that those packages need to migrate to a different
> checksum algorithm at their next update.
Huh, and we never documented that we supported it in the first place. :/

No wonder we didn't notice that this would break, and, equally, no
wonder users didn't hit this in the 2.5 years since 5.0.0 was tagged...

But, if we're going to support whirlpool then that means, going against
the original intent of the patch which broke this, that we now need the
openssl command-line tool even if built --with-crypto=nettle, because it
doesn't look like nettle supports whirlpool any more than base64.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20180827/eabf4a40/attachment.asc>