Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
On Wed, Oct 23, 2019 at 09:29:53PM -0400, Daniel Kahn Gillmor wrote:
>On Wed 2019-10-23 16:39:24 +0100, Steve McIntyre wrote:
>> On Tue, Oct 22, 2019 at 11:51:56PM +0200, Ansgar wrote:
>>> - writing MD5sum in a separate file only used by debian-cd (if present,
>>> otherwise debian-cd should fall back to using Packages), or
>
>Sounds like this is the only option available given the constraints of
>deployed systems in the field.
>
>What parts of debian's internal machinery need to be updated to do such
>a thing?
>
>> I've started a local branch to update jigdo and jigit/libjte to use
>> sha256 some time ago, but -ENOTIME.
>
>Bummer, and i feel for you.
>
>Perhaps we should officially EOL jigdo now, if no one has time to work
>on it.
No, *really* no. It's just bumped up my priority list now.
>Obviously, we'd continue supporting deployed legacy systems and give
>them a chance (one release cycle?) to switch to something that is
>actually maintained, but it is doing them no favors to pretend that a
>system they're relying on is getting maintenance when no one has time to
>work on it.
It's more complicated than this - we *also* use jigdo for:
* mirroring of images, both on the mirror network and also for those
of us doing release day tests etc.
* providing a wider range of images for download without having to
store all the data for ISO / BT download (e.g. a full range of
DVDs, BD images, etc.)
* archiving older releases, again so we don't have to keep *all* the
ISOs *ever*
>> As mentioned in IRC yesterday, we will also need some time to update
>> clients in the field to be able to upgrade safely. That includes
>> Windows binaries (yay!)...
>
>The time to update (or deprecate) deployed clients that depend on md5
>for object integrity was something like 8 years ago when RFC 6151 was
>published :(
The vast majority of the usage of MD5 here is for (essentially)
content-addressable storage. Given the context (with a checksum over
the whole image too), this is not such a critical failing.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer
Reply to: