Re: Upgrade the embedded checksum from MD5 to SHA256?

To: Steve McIntyre <steve@einval.com>
Cc: Roland Clobus <rclobus@rclobus.nl>, debian-cd@lists.debian.org
Subject: Re: Upgrade the embedded checksum from MD5 to SHA256?
From: Cyril Brulebois <kibi@debian.org>
Date: Tue, 17 Dec 2024 02:37:23 +0100
Message-id: <[🔎] 20241217013723.bm43frgvpuvwwxnc@mraw.org>
In-reply-to: <[🔎] 20241216142416.GA2079398@tack.einval.com>
References: <[🔎] f93b9b1e-8882-461a-ac94-1400b76a7045@rclobus.nl> <[🔎] 20241216142416.GA2079398@tack.einval.com>

Steve McIntyre <steve@einval.com> (2024-12-16):
> That's fine IMHO: at this point, the checksum is for verifying media
> corruption rather than tampering. md5 is fine for that. We tell people
> how to verify an image download using stronger checksum, as that's the
> place that's likely to be attacked.

Yes, that's the same kind of benefit we get from having md5sums shipped
in deb files?

> I don't think this matters, tbh. Any other opinions?

The status quo looks fine to me, switching does not seem crazy either
(modulo making sure data shipped vs. code using it get with a suitable
timing and/or with some fallback code, I didn't look into the details).


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Upgrade the embedded checksum from MD5 to SHA256?
  - From: Roland Clobus <rclobus@rclobus.nl>
- Re: Upgrade the embedded checksum from MD5 to SHA256?
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: Bug#1088605: Bug#1084789: debian-testing-amd64-netinst.iso has multiple versions of module udebs
Next by Date: Bug#1084789: Bug#1088605: Bug#1084789: debian-testing-amd64-netinst.iso has multiple versions of module udebs
Previous by thread: Re: Upgrade the embedded checksum from MD5 to SHA256?
Next by thread: Processed: reassign 1088605 to cdimage.debian.org
Index(es):
- Date
- Thread