Re: Bug#540215: Introduce dh_checksums

To: debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Harald Braumann <harry@unheit.net>
Date: Tue, 9 Mar 2010 19:35:41 +0100
Message-id: <[🔎] 20100309183541.GA25679@nn.nn>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20100309165059.GR18278@p12n.org>
References: <[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu> <[🔎] 1268085864.21347.11498.camel@solid.paris.klabs.be> <[🔎] 87d3zea1fu.fsf@windlord.stanford.edu> <[🔎] 20100308225913.GA25043@gnu.kitenet.net> <[🔎] 20100309033842.GB15017@nn.nn> <[🔎] 87k4tmupju.fsf@windlord.stanford.edu> <[🔎] 20100309034954.GA4125@gnu.kitenet.net> <[🔎] 87d3zeuoxr.fsf@windlord.stanford.edu> <[🔎] 1268123295.21347.12099.camel@solid.paris.klabs.be> <[🔎] 20100309165059.GR18278@p12n.org>

On Tue, Mar 09, 2010 at 10:50:59AM -0600, Peter Samuelson wrote:
> 
> [Frank Lin PIAT]
> > Please, let's do the easy move *now* for Squeeze, using shasums, and
> > go ahead later with an even better solution.
> 
> Drawbacks: more CPU time on build daemons, slightly larger binary
> packages to download, and some disruption when we're trying to get a
> release out the door.
> 
> Advantages: ... umm ... warm fuzzy feeling that we aren't relying on
> that old stupid broken MD5 thing that is so out of fashion these days
> among the cognoscenti?
> 
> If you really want to use /var/lib/dpkg/info/pkg.*sums files for any
> purpose other than detecting non-malicious corruption, obviously you
> need _either_ some form of package signatures, _or_ a server akin to
> http://packages.debian.org/changelogs/ for serving checksums from a
> more trusted source.  And of course if you have that sort of server
> support anyway - why not just calculate those sha16384 sums on the
> server, with no change to the debs at all?

See, you don't need a server. You just ship a signature over the hash
files. Easy as that. Of course the hashes would neet to be something more
secure than md5, for that warm fuzzy feeling that in two years time
not every script kiddy can mount hash attacks on their home computer.

harry

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: Peter Samuelson <peter@p12n.org>

References:
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Peter Samuelson <peter@p12n.org>

Prev by Date: Re: Debian Package
Next by Date: Re: Bug#572374: please consider Section: Education
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread