Re: ftp.debian.org: please drop MD5sum lines from Packages
On Thu, Oct 24, 2019 at 09:05:16AM +0200, Thomas Schmitt wrote:
>Hi,
>
>Ansgar wrote:
>> > > From looking, I believe it is debian-cd's tools/grab_md5 that is using
>> > > the MD5sum from Packages (and Sources) to avoid having to compute all
>> > > these checksums itself.
>
>Steve McIntyre wrote:
>> > Well, not just that. It grabs them for use in the jigdo file. The
>> > jigdo backend in xorriso (libjte) also checks them as it creates the
>> > ISO, for sanity checking on archive/mirror consistency right there.
>
>The aspect of "archive/mirror consistency" is not what i perceive as
>the main purpose of the MD5s. I'd rather characterize them as relation
>keys and as transport checksums.
Sure, that's *most* of it.
It's *also* checking for potential corruption in the mirror at build
time. We used to have a separate slow step in debian-cd for that, then
replaced it with the checking inside JTE. We *have* found occasional
errors this way over the years.
>Not as security precaution.
Agreed.
[ suggestion to stay with md5 internally ]
I *do* want to update things here, and it's not far off done AFAICS.
>> > As mentioned in IRC yesterday, we
>> > will also need some time to update clients in the field to be able to
>> > upgrade safely.
>
>My proposal would make this update of clients much smoother, because the
>old not-so-safe clients would continue to work with new jigdo files.
>
>I wonder whether it is really that hard for debian-cd to compute the MD5s
>on its own, before it runs xorriso.
But that loses the mirror-checking feature that I'd like to keep. I'm
looking at moving to sha256 now, and this will pull through the whole
pipeline.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
whether they're being malicious or incompetent. Capital letters are forecast."
Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
Reply to: