[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#818604: Relies on MD5SUM and SHA1SUM to download d-i images in a trustful way

Hi Didier,

On Fri, Mar 18, 2016 at 06:43:41PM +0100, Didier 'OdyX' Raboud wrote:
> Le vendredi, 18 mars 2016, 16.25:10 Didier 'OdyX' Raboud a écrit :
> > win32-loader (its standalone version, available from debian/tools/ )
> > currently relies exclusively on MD5 and SHA1 to trustfully download
> > the d-i images.
> B) Write a new standalone sha256sum.c NSIS plugin from one of the
>    existing implementations:
>   - libgcrypt: cipher/sha256.c (LGPLv2.1+)
>   - coreutils: lib/sha256.c (GPLv3+)
>   - e2fsprogs: lib/ext2fs/sha256.c (GPLv2)
>   - wget: lib/sha256.c (GPLv3+)
>   - glibc: crypt/sha256.c (LGPLv2.1+)
>   - … plenty of others
> Given that win32-loader is GPLv3 +, this excludes e2fsprogs', but others 
> should be fine.

It might be possible to use libgcrypt-mingw-w64-dev, currently in
experimental, to write a new NSIS plugin without duplicating the
hashing implementation... The libgcrypt package should end up in
Stretch before the release, since the whole point of it is to support
the Windows build of gnupg2.



Attachment: signature.asc
Description: PGP signature

Reply to: