Review guidelines source checksum algorithm
On Sat, 2 Apr 2011 13:35:43 +0200, Björn wrote:
> Garrett Holmstrom wrote:
> > The main review guidelines page  specifically requires that one use
> > md5sum to compare packages' tarballs against those from upstream. Is it
> > necessary to require a specific algorithm? If so, should it still be
> > MD5 in this day and age?
The guidelines say "should" not "MUST". An attempt at making clear that
the reviewer (and the packager) should actually run some tool to compare
the included tarball with upstream's. Else some reviewers would just
compare the file name or check that the URL is valid, but not compare
sha256sum would be fine, too, of course.
> Why use checksums at all when diff works just fine?
> Björn Persson
Sure, binary diff (byte-wise comparison I guess) is fine, too.
packaging mailing list