Re: Bug#540215: Introduce dh_checksums
On Tue, Mar 09, 2010 at 10:50:59AM -0600, Peter Samuelson wrote:
> [Frank Lin PIAT]
> > Please, let's do the easy move *now* for Squeeze, using shasums, and
> > go ahead later with an even better solution.
> Drawbacks: more CPU time on build daemons, slightly larger binary
> packages to download, and some disruption when we're trying to get a
> release out the door.
> Advantages: ... umm ... warm fuzzy feeling that we aren't relying on
> that old stupid broken MD5 thing that is so out of fashion these days
> among the cognoscenti?
> If you really want to use /var/lib/dpkg/info/pkg.*sums files for any
> purpose other than detecting non-malicious corruption, obviously you
> need _either_ some form of package signatures, _or_ a server akin to
> http://packages.debian.org/changelogs/ for serving checksums from a
> more trusted source. And of course if you have that sort of server
> support anyway - why not just calculate those sha16384 sums on the
> server, with no change to the debs at all?
See, you don't need a server. You just ship a signature over the hash
files. Easy as that. Of course the hashes would neet to be something more
secure than md5, for that warm fuzzy feeling that in two years time
not every script kiddy can mount hash attacks on their home computer.