Re: Should not .jigdo files be in SHA512SUMS ?

To: debian-cd@lists.debian.org
Cc: pabs@debian.org
Subject: Re: Should not .jigdo files be in SHA512SUMS ?
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Tue, 16 Jan 2018 10:41:13 +0100
Message-id: <[🔎] 21619788063109269696@scdbackup.webframe.org>
In-reply-to: <[🔎] 15132788118264844039@scdbackup.webframe.org>
References: <[🔎] 15132788118264844039@scdbackup.webframe.org>

Hi,

i looked into jigdo-file about the safety of the final jigdo-lite statement
  "OK: Checksums match, image is good!"

The message stems from
  src/jigdo-file-cmd.cc
where i read

  MD5Sum md; // MD5Sum of image
  md.updateFromStream(*image, info->size(), readAmount, *optReporter);
  md.finish();
  if (*image) {
    image->get();
    if (image->eof() && md == info->md5()) {
      optReporter->info(_("OK: Checksums match, image is good!"));
      return 0;

So probably jigdo-file has to learn other checksumming algorithms like
SHA512 in order to get sufficient safety against intentional manipulation.

Until then, it should not be that much affirmative in its message, but
rather tell that it's only tested by a (yet untrusted) MD5 and that the
usual verification procedure for downloaded ISOs is still needed.


Have a nice day :)

Thomas

Reply to:

References:
- Should not .jigdo files be in SHA512SUMS ?
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Bug#846006: debian-cd: please provide flavor/spin netinst image for Debian Edu
Next by Date: Re: Debian Live CD as platform for debian-cd Jigdo download
Previous by thread: Should not .jigdo files be in SHA512SUMS ?
Next by thread: Bug#846006: debian-cd: please provide flavor/spin netinst image for Debian Edu
Index(es):
- Date
- Thread