Bug#712640: net-retriever checks only md5sums

[Philipp Kern <pkern@google.com>]

Hey Cyril,

On Mon, Jan 27, 2014 at 12:54 AM, Cyril Brulebois <kibi@debian.org> wrote:

As far as I can see, we have MD5Sum, SHA1, and SHA256 for all of
oldstable, stable, and testing. I've therefore modified the code to
support an unconditional loop over those 3 values, which you can review
in the git repository (multi-checksums branch).

the patches look good to me. I have one question though (repeating here from IRC):

Do we really want to make the set of current checksums mandatory? This will make it harder to drop some and replace them by stronger ones. Disclaimer: I don't know what apt does.

Clearly we need to avoid the downgrade attack of someone dropping all the hashes except MD5 (even though we will of course still GPG-verify the hashset) and then replacing content. So maybe two of three? Those that are there and a strong one? I don't know, I just want to encourage some thought on this. ;-)

Kind regards

Philipp Kern