[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ftp.debian.org: please drop MD5sum lines from Packages

Hi,

i wrote:
> > [...] MD5s. I'd rather characterize them as relation keys and as
> >  transport checksums.

Steve McIntyre wrote:
> It's *also* checking for potential corruption in the mirror at build
> time.

MD5 is well suited for that, as long as this is not considered to be part
of an intrusion detection system.


> > I wonder whether it is really that hard for debian-cd to compute the MD5s
> > on its own, before it runs xorriso.

> But that loses the mirror-checking feature that I'd like to keep.

How about mirror checking by SHA256 in grab_md5, before computing the
MD5 for jigdo ?
This would authorize the MD5 in a similar strength as it is currently by
the list from which grab_md5 reads it.


> I *do* want to update things here, and it's not far off done AFAICS.

But the confusion caused by the format change ...
"old-old-stable" not being able to download the full DVD set of "stable".


> I'm looking at moving to sha256 now, and this will pull through the whole
> pipeline.

Don't forget to notify me when a new libjte tarball is ready for inclusion
in GNU xorriso.


Have a nice day :)

Thomas
Reply to: