Re: Bug#540215: Introduce dh_checksums

To: debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Peter Samuelson <peter@p12n.org>
Date: Tue, 9 Mar 2010 10:50:59 -0600
Message-id: <[🔎] 20100309165059.GR18278@p12n.org>
In-reply-to: <[🔎] 1268123295.21347.12099.camel@solid.paris.klabs.be>
References: <[🔎] 1268066168.21347.9661.camel@solid.paris.klabs.be> <[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu> <[🔎] 1268085864.21347.11498.camel@solid.paris.klabs.be> <[🔎] 87d3zea1fu.fsf@windlord.stanford.edu> <[🔎] 20100308225913.GA25043@gnu.kitenet.net> <[🔎] 20100309033842.GB15017@nn.nn> <[🔎] 87k4tmupju.fsf@windlord.stanford.edu> <[🔎] 20100309034954.GA4125@gnu.kitenet.net> <[🔎] 87d3zeuoxr.fsf@windlord.stanford.edu> <[🔎] 1268123295.21347.12099.camel@solid.paris.klabs.be>

[Frank Lin PIAT]
> Please, let's do the easy move *now* for Squeeze, using shasums, and
> go ahead later with an even better solution.

Drawbacks: more CPU time on build daemons, slightly larger binary
packages to download, and some disruption when we're trying to get a
release out the door.

Advantages: ... umm ... warm fuzzy feeling that we aren't relying on
that old stupid broken MD5 thing that is so out of fashion these days
among the cognoscenti?

If you really want to use /var/lib/dpkg/info/pkg.*sums files for any
purpose other than detecting non-malicious corruption, obviously you
need _either_ some form of package signatures, _or_ a server akin to
http://packages.debian.org/changelogs/ for serving checksums from a
more trusted source.  And of course if you have that sort of server
support anyway - why not just calculate those sha16384 sums on the
server, with no change to the debs at all?

Peter

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>

References:
- Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>

Prev by Date: dsniff is dead, long life to dsniff
Next by Date: Re: Bug#540215: Introduce dh_checksums
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread