Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
On Tue, Oct 22, 2019 at 11:51:56PM +0200, Ansgar wrote:
>Daniel Kahn Gillmor writes:
>> The Packages file is growing, and we would like to keep it smaller.
>>
>> The MD5sum lines are vestigial at this point. Anything that they do
>> can be done better with the data from the SHA256sum lines.
>
>I agree it would be nice to remove MD5sum from Packages; there are a few
>other fields that might also not be that useful (e.g. Maintainer).
>
>> #887831 suggests that jigdo may currently still be broken if MD5sum
>> goes away, but perhaps that's more of a reflection on the unmaintained
>> state of jigdo than it is on the state of the archive.
>
>>From looking, I believe it is debian-cd's tools/grab_md5 that is using
>the MD5sum from Packages (and Sources) to avoid having to compute all
>these checksums itself.
Well, not just that. It grabs them for use in the jigdo file. The
jigdo backend in xorriso (libjte) also checks them as it creates the
ISO, for sanity checking on archive/mirror consistency right there.
>We could look into either
>
> - writing MD5sum in a separate file only used by debian-cd (if present,
> otherwise debian-cd should fall back to using Packages), or
>
> - using a (truncated) sha256sum; this requires that the jigdo client
> only uses the "md5sum" as an opaque identifier for a file.
The actual md5 checksum is calculated by the clients too, so the
latter is not really an option.
I've started a local branch to update jigdo and jigit/libjte to use
sha256 some time ago, but -ENOTIME. As mentioned in IRC yesterday, we
will also need some time to update clients in the field to be able to
upgrade safely. That includes Windows binaries (yay!)...
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Because heaters aren't purple!" -- Catherine Pitt
Reply to: