[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

Le Thu, Oct 11, 2012 at 08:18:55PM +0200, Kurt Roeckx a écrit :
> MD5 is covered by policy, and it's the only mentioned in policy,
> maybe that should change.

Hi Kurt and everybody,

For control files, Checksums-Sha1 and Checksums-Sha256 are covered in chapter
5, where they are marked as recommended.


  These multiline fields contain a list of files with a checksum and size for
  each one. Both Checksums-Sha1 and Checksums-Sha256 have the same syntax and
  differ only in the checksum algorithm used: SHA-1 for Checksums-Sha1 and
  SHA-256 for Checksums-Sha256.
  Checksums-Sha1 and Checksums-Sha256 are multiline fields. The first line of
  the field value (the part on the same line as Checksums-Sha1: or
  Checksums-Sha256:) is always empty. The content of the field is expressed as
  continuation lines, one line per file. Each line consists of the checksum, a
  space, the file size, a space, and the file name. For example (from a .changes

      1f418afaa01464e63cc1ee8a66a05f0848bd155c 1276 example_1.0-1.dsc
      a0ed1456fad61116f868b1855530dbe948e20f06 171602 example_1.0.orig.tar.gz
      5e86ecf0671e113b63388dac81dd8d00e00ef298 6137 example_1.0-1.debian.tar.gz
      71a0ff7da0faaf608481195f9cf30974b142c183 548402 example_1.0-1_i386.deb
      ac9d57254f7e835bed299926fd51bf6f534597cc3fcc52db01c4bffedae81272 1276 example_1.0-1.dsc
      0d123be7f51e61c4bf15e5c492b484054be7e90f3081608a5517007bfb1fd128 171602 example_1.0.orig.tar.gz
      f54ae966a5f580571ae7d9ef5e1df0bd42d63e27cb505b27957351a495bc6288 6137 example_1.0-1.debian.tar.gz
      3bec05c03974fdecd11d020fc2e8250de8404867a8a2ce865160c250eb723664 548402 example_1.0-1_i386.deb

  In the .dsc file, these fields should list all files that make up the source
  package. In the .changes file, these fields should list all files being
  uploaded. The list of files in these fields must match the list of files in the
  Files field.

For MD5, it is only mentionned in the description of the Files field (same
chapter), in appendix D about other control fields (MD5sum), and in appendix E
about configuration file handling.

Please let us know if there is something else missing about SHA-1 or SHA-256


Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to: