Re: ftp.debian.org: please drop MD5sum lines from Packages
On Thu, Oct 24, 2019 at 12:56:53PM +0200, Thomas Schmitt wrote:
>Hi,
>
>i wrote:
>> > [...] MD5s. I'd rather characterize them as relation keys and as
>> > transport checksums.
>
>Steve McIntyre wrote:
>> It's *also* checking for potential corruption in the mirror at build
>> time.
>
>MD5 is well suited for that, as long as this is not considered to be part
>of an intrusion detection system.
Exactly.
>> > I wonder whether it is really that hard for debian-cd to compute the MD5s
>> > on its own, before it runs xorriso.
>
>> But that loses the mirror-checking feature that I'd like to keep.
>
>How about mirror checking by SHA256 in grab_md5, before computing the
>MD5 for jigdo ?
That's slow, doing two passes of MD5: one here, one later on when
we're doing the I/O anyway. I'd much rather just switch from md5 to
sha256 in both places and use the already-available checksum
data. That's a lot of the point of the JTE design in the first place.
>> I *do* want to update things here, and it's not far off done AFAICS.
>
>But the confusion caused by the format change ...
>"old-old-stable" not being able to download the full DVD set of "stable".
It'll take time to switch everything - I'll make an EOL announcement.
>> I'm looking at moving to sha256 now, and this will pull through the whole
>> pipeline.
>
>Don't forget to notify me when a new libjte tarball is ready for inclusion
>in GNU xorriso.
Yup, of course. :-)
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: