[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive changes

Am 2016-03-16 01:20, schrieb Steve McIntyre:

I've just activated a few changes to the archive we talk(ed) about for a long time. And while it is not exactly the start of this release cycle,
it should still work out nicely (so one hopes).
As of now, InRelease/Release files, Packages and Sources no longer
provide MD5Sum and SHA1sums, only SHA256.
That (Packages and Sources) will break jigdo generation for debian-cd
(and hence all CD/DVD/BD builds). We can't fix this easily in a short
timescale - current released jigdo clients (both in Debian and
externally) use md5 internally to reference files in the archive. Not
as a *security* feature; this is the core design of jigdo.


If it really turns out that this is unchangeable for now - the code is
flexible enough to allow to freely select checksum types by suite, so
md5 could be turned on for a suite too. Without getting sha1 back.
(Its written so that it can simply support any checksum apt_pkg supports).

Im not sure we *want* to support that, at least for sure not for more than stretch, but we could.

Additionally I turned off generating gzip compressed versions of those
files, xz is there.
And that will break various other parts of debian-cd.

Question is how hard a change of a compression tool is there.

To test it, this is limited to experimental. We hope nothing breaks on it,
but lets try for a few days. If that works out, we should adjust
unstable, and another short time later coordinate with the release team
to adjust testing, so it ends up in the next release.
Please, no. We need more time than that to fix things up.

Its not like its an entirely new idea to do this.
How much?

Also, from reading the current replies, noone has a problem with removing sha1, so that one seems a set thing. md5 and gz files removals make people more happy.

bye Joerg

Reply to: