Cyril Brulebois wrote: > IIRC MD5sum field was kept (as in: added > back) because debian-cd needs it at the moment, which partly explains why this > wasn't fixed earlier. I think backward-compatibility would have been okay as long as *either*: * the archive published Release files with old+new hash algorithms; or * the utilities consuming it, supported the old/new hash algorithms; but here we had done both of those things, which allowed for a downgrade to go unnoticed. I think right now it is easier to fix anna+cdebootstrap than debian-cd? > but referencing places where stuff like parsing happens > (Release, Packages, etc.), and where checkums are used, Yesss, but only if someone updated that documentation with what the code is doing. Removal of SHA1 in Relases had an action-at-a-distance effect on cdebootstrap, so it wouldn't be clear that the documentation needed to change then. In the ideal world, the code itself would be the clear, authoritative reference of what it is doing. I wish that we can remove all references to md5 and sha1 there. Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature