[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#856211: anna: please implement SHA256 verification of .udeb files


Steven Chamberlain <steven@pyro.eu.org> (2017-02-27):
> Cyril Brulebois wrote:
> > AFAICT net-retriever does the fetching and checking work?
> Mayyybe...
> Although with 
> http://ftp.de.debian.org/debian/dists/testing/main/installer-i386/20170127/images/netboot/mini.iso
> I observed md5sum and sha256sum only being executed as indicated in the
> attached log.

So we're only checking newer checksums for Packages files (against what's in
Release files, bad bad bad us indeed. IIRC MD5sum field was kept (as in: added
back) because debian-cd needs it at the moment, which partly explains why this
wasn't fixed earlier.

I'm not sure whether this exists already (be it for the whole distribution or
for d-i specifically), but referencing places where stuff like parsing happens
(Release, Packages, etc.), and where checkums are used, would help figure out
what to change when the list of supported fields/checksums are updated. Might
be another way to leverage this whole debacle thing.


Attachment: signature.asc
Description: Digital signature

Reply to: