Revision: tla--mainline--1.2--patch-1
Archive: walters@verbum.org--2003
Creator: Colin Walters <walters@verbum.org>
Date: Tue Jan  6 01:00:17 EST 2004
Standard-date: 2004-01-06 06:00:17 GMT
Modified-files: libarch/archive-pfs.c
    libarch/pfs-signatures.c
New-patches: walters@verbum.org--2003/tla--mainline--1.2--patch-1
Summary: add SHA1 to checksums, verify it [INCOMPATIBLE CHANGE]
Keywords: 

This changeset adds SHA1 hashes to the checksum file.  MD5 is considered
somewhat weak in the security community, especially on its own (i.e. without 
also verifying other data such as file size).  Given this, it seems prudent
to start using SHA1 as well.

This change is incompatible with the previous checksum file format.
Because of this, I also took this opportunity to switch the order
of the arguments in the checksum file, so it now looks like:

 Signature-for: jane@example.com--2003/hello-world--mainline--1.0--base-0
 md5 cb38477b6b4a10deeefd874689807a51 log
 sha1 c9ad541ef3ee49965c7f506176493d8b58745a47 log
 md5 0ac8ee42b72dee048228d608be3982d6 hello-world--mainline--1.0--base-0.src.tar.gz
 sha1 44398ba476091992c14a2eafbff4be67d364056d hello-world--mainline--1.0--base-0.src.tar.gz

Instead of:

Signature-for: jane@example.com--2003/hello-world--mainline--1.0--base-0
md5 log cb38477b6b4a10deeefd874689807a51
md5 hello-world--mainline--1.0--base-0.src.tar.gz 0ac8ee42b72dee048228d608be3982d6 

That way filenames with spaces (should any ever occur) are more cleanly supported.
This vaguely meshes with the default md5/sha1sum commandline utility output.


