Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ansgar <ansgar@43-1.org>, 942893@bugs.debian.org, debian-cd@lists.debian.org
Subject: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
From: Steve McIntyre <steve@einval.com>
Date: Thu, 24 Oct 2019 11:16:10 +0100
Message-id: <[🔎] 20191024101610.GO28485@tack.einval.com>
In-reply-to: <[🔎] 87pninkk1a.fsf@fifthhorseman.net>
References: <157177984169.14856.11862820450339544957.reportbug@alice.fifthhorseman.net> <[🔎] 87d0eov477.fsf@43-1.org> <[🔎] 20191023153924.GN28485@tack.einval.com> <[🔎] 87pninkk1a.fsf@fifthhorseman.net>

On Wed, Oct 23, 2019 at 09:29:53PM -0400, Daniel Kahn Gillmor wrote:
>On Wed 2019-10-23 16:39:24 +0100, Steve McIntyre wrote:
>> On Tue, Oct 22, 2019 at 11:51:56PM +0200, Ansgar wrote:
>>> - writing MD5sum in a separate file only used by debian-cd (if present,
>>>   otherwise debian-cd should fall back to using Packages), or
>
>Sounds like this is the only option available given the constraints of
>deployed systems in the field.
>
>What parts of debian's internal machinery need to be updated to do such
>a thing?
>
>> I've started a local branch to update jigdo and jigit/libjte to use
>> sha256 some time ago, but -ENOTIME.
>
>Bummer, and i feel for you.
>
>Perhaps we should officially EOL jigdo now, if no one has time to work
>on it.

No, *really* no. It's just bumped up my priority list now.

>Obviously, we'd continue supporting deployed legacy systems and give
>them a chance (one release cycle?) to switch to something that is
>actually maintained, but it is doing them no favors to pretend that a
>system they're relying on is getting maintenance when no one has time to
>work on it.

It's more complicated than this - we *also* use jigdo for:

 * mirroring of images, both on the mirror network and also for those
   of us doing release day tests etc.

 * providing a wider range of images for download without having to
   store all the data for ISO / BT download (e.g. a full range of
   DVDs, BD images, etc.)

 * archiving older releases, again so we don't have to keep *all* the
   ISOs *ever*

>> As mentioned in IRC yesterday, we will also need some time to update
>> clients in the field to be able to upgrade safely. That includes
>> Windows binaries (yay!)...
>
>The time to update (or deprecate) deployed clients that depend on md5
>for object integrity was something like 8 years ago when RFC 6151 was
>published :(

The vast majority of the usage of MD5 here is for (essentially)
content-addressable storage. Given the context (with a checksum over
the whole image too), this is not such a critical failing.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Getting a SCSI chain working is perfectly simple if you remember that there
  must be exactly three terminations: one on one end of the cable, one on the
  far end, and the goat, terminated over the SCSI chain with a silver-handled
  knife whilst burning *black* candles. --- Anthony DeBoer

Reply to:

Follow-Ups:
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

References:
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Ansgar <ansgar@43-1.org>
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Steve McIntyre <steve@einval.com>
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: ftp.debian.org: please drop MD5sum lines from Packages
Next by Date: Re: ftp.debian.org: please drop MD5sum lines from Packages
Previous by thread: Re: ftp.debian.org: please drop MD5sum lines from Packages
Next by thread: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Index(es):
- Date
- Thread