Remove weak checksum options for publishing RPM repos

Sha256 will work with anything newer than RHEL5, which is now 6 years past EOL and 3 years past even the extended lifecycle support phase. closes pulp#851
dralley · Dec 13, 2023 · 7d30663 · 7d30663
1 parent 807842b
commit 7d30663
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/CHANGES/pulp-glue/851.removal b/CHANGES/pulp-glue/851.removal
@@ -0,0 +1 @@
+pulp_rpm 3.25+ no longer allows publishing repositories with md5, sha1, or sha224 checksums.
diff --git a/pulp-glue/pulp_glue/rpm/context.py b/pulp-glue/pulp_glue/rpm/context.py
@@ -220,6 +220,15 @@ def preprocess_entity(self, body: EntityDefinition, partial: bool = False) -> En
                     feature=_("sqlite_metadata generation"),
                 )
             )
+        if "metadata_checksum_type" in body or "package_checksum_type" in body:
+            metadata_checksum_type = body.get("metadata_checksum_type")
+            package_checksum_type = body.get("metadata_checksum_type")
+            disallowed_checksums = {"md5", "sha1", "sha224"}
+
+            if metadata_checksum_type and metadata_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
+            if package_checksum_type and package_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
         return body
 
 
@@ -299,6 +308,15 @@ def preprocess_entity(self, body: EntityDefinition, partial: bool = False) -> En
                     feature=_("sqlite_metadata generation"),
                 )
             )
+        if "metadata_checksum_type" in body or "package_checksum_type" in body:
+            metadata_checksum_type = body.get("metadata_checksum_type")
+            package_checksum_type = body.get("metadata_checksum_type")
+            disallowed_checksums = {"md5", "sha1", "sha224"}
+
+            if metadata_checksum_type and metadata_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
+            if package_checksum_type and package_checksum_type in disallowed_checksums:
+                self.pulp_ctx.needs_plugin(PluginRequirement("rpm", specifier=">=3.25.0", inverted=True, feature=_("weak checksums")))
         return body
 
     def sync(self, href: Optional[str] = None, body: Optional[EntityDefinition] = None) -> Any:

diff --git a/pulpcore/cli/rpm/common.py b/pulpcore/cli/rpm/common.py
@@ -1 +1 @@
-CHECKSUM_CHOICES = ("unknown", "md5", "sha1", "sha224", "sha256", "sha384", "sha512")
+CHECKSUM_CHOICES = ("md5", "sha1", "sha224", "sha256", "sha384", "sha512")
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		pulp_rpm 3.25+ no longer allows publishing repositories with md5, sha1, or sha224 checksums.
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		CHECKSUM_CHOICES = ("unknown", "md5", "sha1", "sha224", "sha256", "sha384", "sha512")
		CHECKSUM_CHOICES = ("md5", "sha1", "sha224", "sha256", "sha384", "sha512")