Re: ftp.debian.org: please drop MD5sum lines from Packages

To: 942893@bugs.debian.org
Cc: steve@einval.com,debian-cd@lists.debian.org
Subject: Re: ftp.debian.org: please drop MD5sum lines from Packages
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Thu, 24 Oct 2019 20:17:32 +0200
Message-id: <[🔎] 26391689226112663900@scdbackup.webframe.org>
In-reply-to: <[🔎] 878spakto8.fsf@fifthhorseman.net>
References: <[🔎] 878spakto8.fsf@fifthhorseman.net>

Hi,

Daniel Kahn Gillmor wrote:
> Is the final checksum over the whole image also MD5, or do we use
> something stronger?

Currently, the downloader only checks MD5. But it already now has a wide
range of better checksums to choose from.

A typical .jigdo file contains this header part (after gunzip):
--------------------------------------------------------------------------
  [Image]
  Filename=debian-9.4.0-amd64-DLBD-2.iso
  Template=debian-9.4.0-amd64-DLBD-2.template
  Template-MD5Sum=UUlMi543CsRBsp4bsc3qqQ
  ShortInfo='Debian GNU/Linux 9.4.0 "Stretch" - Official amd64 DLBD Binary-2 20180310-11:21 (20180310)'
  Info='Generated on Sat, 10 Mar 2018 11:51:35 +0000'
  # Template Hex MD5Sum 51494c8b9e370ac441b29e1bb1cdeaa9
  # Template size 9515642 bytes
  # Image Hex MD5Sum 7ba8110513d4b78ae9a3546ad89ba91a
  # Image Hex SHA1Sum 9e3d3335827d6957b4625417694b985c0d1cfb46
  # Image Hex SHA256Sum 3fd0372d7b21d4e5d687029bc06760085aef5d567f38c8a2a5813ffe8ef3c938
  # Image Hex SHA512Sum 2eadb17b18214d81ed0b874f16de6b678cc5f1fee93b8dc9057a3534289c5c73bd833fe9ba17632ea83a3a7e6a51ac5a9681ba63b998d682215ebbc13fe27c58
  # Image size 11999660032 bytes
--------------------------------------------------------------------------

So we see that there are MD5, SHA1, SHA256, SHA512 for the resulting .iso
image file. The only opportunity to check the input file .template is MD5.

But the officially advised way of verifying a Debian ISO is to use the
files SHA*SUMS.sign and SHA*SUMS from the same location from where .jigdo
and .template come.
For example
  https://cdimage.debian.org/mirror/cdimage/archive/9.4.0/amd64/jigdo-dlbd/SHA256SUMS
has
--------------------------------------------------------------------------
  3fd0372d7b21d4e5d687029bc06760085aef5d567f38c8a2a5813ffe8ef3c938  debian-9.4.0-amd64-DLBD-2.iso
  7beb78f882cafe6febd43f9677e0cb46a37ff93f1cf5fefd72b5f17afb79b6aa  debian-9.4.0-amd64-DLBD-2.jigdo
  9fe6e66383199303d59c7cb5315163cc1d00a1506ed279ee7cebe54ca8d85fd7  debian-9.4.0-amd64-DLBD-2.template
--------------------------------------------------------------------------

Note the match of the SHA256 sums in both, .jigdo and SHA256SUMS.


Have a nice day :)

Thomas

Reply to:

References:
- Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Next by Date: Re: ftp.debian.org: please drop MD5sum lines from Packages
Previous by thread: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Next by thread: Re: Bug#942893: ftp.debian.org: please drop MD5sum lines from Packages
Index(es):
- Date
- Thread