Infrastructure has been asked to update the lookaside (and sources) hash to sha256sum: https://fedorahosted.org/fedora-infrastructure/ticket/3358
The https://fedoraproject.org/w/index.php?title=Packaging:ReviewGuidelines page lists md5sum explicitly. The only justification I see for that specificity is that posting md5sums in the review allows a clear trail from what was reviewed to what was imported into the scm: http://lists.fedoraproject.org/pipermail/packaging/2009-October/006550.html
I propose the following change once we upgrade lookaside cache and fedpkg to sha256sum:
'''MUST:''' The sources used to build the package must match the upstream source, as provided in the spec URL. Reviewers should use sha256sum for this task as it is used by the sources file once imported into git. If no upstream URL can be specified for this package, please see the Source URL Guidelines for how to deal with this.
sources
EASYFIX, I'll add this in the next pass (no need to wait on infrastructure here).
Announce text:
The review guidelines now reflect the use of sha256sum (instead of md5sum) to confirm upstream source integrity.
https://fedoraproject.org/wiki/Packaging:ReviewGuidelines#Things_To_Check_On_Review
Metadata Update from @spot: - Issue assigned to spot
Login to comment on this ticket.