Disable md5 publishing

Currently all registered checksums are computed and published, but in
some cases it might be usefully to be able to verify a checksum but we
don't want to publish it.

This also includes disabling the md5 checksum, we publish sha-256 > 4
years and warn about md5 > 1 year now so it seems valid to stop
publishing it now at all.

bundles/org.eclipse.equinox.p2.artifact.repository/plugin.xml

@@ -44,6 +44,7 @@
         algorithm="MD5"
         id="md5"
         priority="-2000"
+        publish="false"
         warnInsecure="true">
 		</artifactChecksum>
 	</extension>

bundles/org.eclipse.equinox.p2.artifact.repository/schema/artifactChecksums.exsd

@@ -91,6 +91,13 @@ Set to true if this algorithm is now considered as insecure. A warning will be l
                </documentation>
             </annotation>
          </attribute>
+         <attribute name="publish" type="boolean" use="default" value="true">
+            <annotation>
+               <documentation>
+                  Controls if this checksum should be published when assembling a repository.
+               </documentation>
+            </annotation>
+         </attribute>
       </complexType>
    </element>
 

bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/checksum/ChecksumUtilities.java

@@ -115,7 +115,7 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		for (IConfigurationElement checksumVerifierConfiguration : ChecksumUtilities
 				.getChecksumComparatorConfigurations()) {
 			String id = checksumVerifierConfiguration.getAttribute("id"); //$NON-NLS-1$
-			if (checksumsToSkip.contains(id))
+			if (checksumsToSkip.contains(id) || !shouldPublish(checksumVerifierConfiguration))
 				// don't calculate checksum if algo is disabled
 				continue;
 			String algorithm = checksumVerifierConfiguration.getAttribute("algorithm"); //$NON-NLS-1$
@@ -161,6 +161,14 @@ public static IStatus calculateChecksums(File pathOnDisk, Map<String, String> ch
 		return status;
 	}
 
+	private static boolean shouldPublish(IConfigurationElement checksumVerifierConfiguration) {
+		String attribute = checksumVerifierConfiguration.getAttribute("publish"); //$NON-NLS-1$
+		if (attribute == null || attribute.isBlank()) {
+			return true;
+		}
+		return Boolean.parseBoolean(attribute);
+	}
+
 	/**
 	 * @param property either {@link IArtifactDescriptor#ARTIFACT_CHECKSUM} or {@link IArtifactDescriptor#DOWNLOAD_CHECKSUM}
 	 * @param checksums

bundles/org.eclipse.equinox.p2.tests/src/org/eclipse/equinox/p2/tests/artifact/processors/ProduceChecksumTest.java

@@ -12,6 +12,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;
@@ -39,8 +40,7 @@ public void testChecksums() throws IOException {
 				Collections.emptyList());
 		assertTrue(status.toString(), status.isOK());
 		String md5sum = hashMap.get("md5");
-		assertNotNull("MD5 was not computed!", md5sum);
-		assertEquals("MD5 mismatch", "25b68bb92a7a77238bd60ad5e21bb91f", md5sum);
+		assertNull("MD5 was computed but should be disabled!", md5sum);
 		String sha256sum = hashMap.get("sha-256");
 		assertNotNull("SHA256 was not computed!", sha256sum);
 		assertEquals("SHA256 mismatch", "39d083c8c75eac51b2c4566cca299b41cc93d5b0313906f5979fbebf1104ff49", sha256sum);