Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)

To: debian-devel@lists.debian.org
Subject: Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
From: Charles Plessy <plessy@debian.org>
Date: Fri, 12 Oct 2012 07:43:10 +0900
Message-id: <[🔎] 20121011224310.GA12464@falafel.plessy.net>
In-reply-to: <[🔎] 20121011181855.GA8645@roeckx.be>
References: <[🔎] 1349911198.3341.117.camel@fermat.scientia.net> <[🔎] 20121011181855.GA8645@roeckx.be>

Le Thu, Oct 11, 2012 at 08:18:55PM +0200, Kurt Roeckx a écrit :
>
> MD5 is covered by policy, and it's the only mentioned in policy,
> maybe that should change.

Hi Kurt and everybody,

For control files, Checksums-Sha1 and Checksums-Sha256 are covered in chapter
5, where they are marked as recommended.

-----------------------------------------------------------------------------
http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Checksums

These multiline fields contain a list of files with a checksum and size for
each one. Both Checksums-Sha1 and Checksums-Sha256 have the same syntax and
differ only in the checksum algorithm used: SHA-1 for Checksums-Sha1 and
SHA-256 for Checksums-Sha256.

Checksums-Sha1 and Checksums-Sha256 are multiline fields. The first line of
the field value (the part on the same line as Checksums-Sha1: or
Checksums-Sha256:) is always empty. The content of the field is expressed as
continuation lines, one line per file. Each line consists of the checksum, a
space, the file size, a space, and the file name. For example (from a .changes
file):

Checksums-Sha1:
1f418afaa01464e63cc1ee8a66a05f0848bd155c 1276 example_1.0-1.dsc
a0ed1456fad61116f868b1855530dbe948e20f06 171602 example_1.0.orig.tar.gz
5e86ecf0671e113b63388dac81dd8d00e00ef298 6137 example_1.0-1.debian.tar.gz
71a0ff7da0faaf608481195f9cf30974b142c183 548402 example_1.0-1_i386.deb
Checksums-Sha256:
ac9d57254f7e835bed299926fd51bf6f534597cc3fcc52db01c4bffedae81272 1276 example_1.0-1.dsc
0d123be7f51e61c4bf15e5c492b484054be7e90f3081608a5517007bfb1fd128 171602 example_1.0.orig.tar.gz
f54ae966a5f580571ae7d9ef5e1df0bd42d63e27cb505b27957351a495bc6288 6137 example_1.0-1.debian.tar.gz
3bec05c03974fdecd11d020fc2e8250de8404867a8a2ce865160c250eb723664 548402 example_1.0-1_i386.deb

In the .dsc file, these fields should list all files that make up the source
package. In the .changes file, these fields should list all files being
uploaded. The list of files in these fields must match the list of files in the
Files field.
-----------------------------------------------------------------------------

For MD5, it is only mentionned in the description of the Files field (same
chapter), in appendix D about other control fields (MD5sum), and in appendix E
about configuration file handling.

Please let us know if there is something else missing about SHA-1 or SHA-256
checksums.

Cheers,

--
Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to:

Follow-Ups:
- Bug#690293: Policy 5.6.24: Checksums-{SHA1,SHA256} are required by the archive software
  - From: Ansgar Burchardt <ansgar@debian.org>

References:
- Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
Next by Date: Re: (seemingly) declinging bug report numbers
Previous by thread: Re: Debian should move away from MD5 (and at best also from SHA1) (in secure APT and friends)
Next by thread: Bug#690293: Policy 5.6.24: Checksums-{SHA1,SHA256} are required by the archive software
Index(es):
- Date
- Thread