Bug 102163

Summary: download.lst shouldn't use md5, but rather at least sha256
Product: LibreOffice Reporter: Domen Kožar <domen>
Component: LibreOfficeAssignee: Not Assigned <libreoffice-bugs>
Status: CLOSED FIXED    
Severity: normal CC: domen
Priority: medium    
Version: 5.3.0.0.alpha0+   
Hardware: All   
OS: All   
Whiteboard:
Crash report or crash signature: Regression By:

Description Domen Kožar 2016-09-13 15:57:18 UTC 
Hi,

at NixOS linux distribution we're using https://cgit.freedesktop.org/libreoffice/core/tree/download.lst as a source to build libreoffice using a script.

We're trying to get rid of md5 and libreoffice is one of the last software using it.

Could we change that list to use a secure hashing algorithm?

Domen
Comment 1 Markus Mohrhard 2016-09-13 17:40:53 UTC 
The use of md5 is not meant as secure hashing algorithm. It is only used as a way to recognize corrupted data transmissions.
Comment 2 Domen Kožar 2016-09-13 17:42:30 UTC 
I realize that, but it's useful to use upstream hashes for distros.

Would it be too much of a hassle to change the algorithm?
Comment 3 Eike Rathke 2016-09-13 21:05:19 UTC 
That would not only be a change of the gbuild download mechanism, but as tarballs are shared between different branches of LibreOffice also would involve either adding symlinks for all tarballs that include the md5sum in the file name on the download server to have both, md5sum and sha256sum, available, or continue to use the name that includes the md5sum but have an additional sha256sum for the content, which might be even more confusing.

I don't get the "useful to use upstream hashes for distros", distros mostly use the already available system libraries to build LibreOffice, unless those are too old or too new.
Comment 4 Domen Kožar 2016-09-21 08:19:44 UTC 
OK, we've implemented sha256 hashing and don't use upstream md5 anymore.
Comment 5 Eike Rathke 2017-04-26 12:01:02 UTC 
FYI, master (to-be 5.4) uses sha256 now.