Re: Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs
On Sun, Feb 26, 2017 at 06:30:31PM +0000, Steven Chamberlain wrote:
> The regression in Bug#856215 in cdebootstrap:
> "since SHA1 removal from Release file, only MD5sums are used"
> could only be fixed by adding support for the SHA256 fields.
Just FYI, since it's not clear from
https://wiki.debian.org/InstallerDebacle that you know this, the
installer in fact uses debootstrap rather than cdebootstrap to install
the base system. AFAIK debootstrap has supported SHA256 since version
1.0.28 in 2011.
> An open question is whether to preserve any support for MD5.
> Keeping it would:
> + reduce potential for breakage (in case MD5 is "good enough" for some
> use-case or SHA256 is still impractical)
> + allow verifiers to check both MD5 *and* SHA256, for even stronger
> authentication in case one or both algorithms are broken
Checking both adds only negligible security (look up "multicollisions")
and is a waste of time.
The usual reason to keep support for older hash algorithms is just to
make transitions to newer ones less painful.
Colin Watson [email@example.com]