[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#856210: libdebian-installer: please parse SHA256 field and add it to di_* structs

On Sun, Feb 26, 2017 at 06:30:31PM +0000, Steven Chamberlain wrote:
> The regression in Bug#856215 in cdebootstrap:
> "since SHA1 removal from Release file, only MD5sums are used"
> could only be fixed by adding support for the SHA256 fields.

Just FYI, since it's not clear from
https://wiki.debian.org/InstallerDebacle that you know this, the
installer in fact uses debootstrap rather than cdebootstrap to install
the base system.  AFAIK debootstrap has supported SHA256 since version
1.0.28 in 2011.

> An open question is whether to preserve any support for MD5.
> Keeping it would:
>   + reduce potential for breakage (in case MD5 is "good enough" for some
>     use-case or SHA256 is still impractical)
>   + allow verifiers to check both MD5 *and* SHA256, for even stronger
>     authentication in case one or both algorithms are broken

Checking both adds only negligible security (look up "multicollisions")
and is a waste of time.

The usual reason to keep support for older hash algorithms is just to
make transitions to newer ones less painful.

Colin Watson                                       [cjwatson@debian.org]

Reply to: