Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?
On Fri, 2013-08-02 at 14:52:33 +0200, Paul Wise wrote:
> I noted that some derivatives have introduced SHA512 into their
> Release files (and probably Packages/etc).
This will increase those files (Packages, Sources, etc) by quite a bit,
at least 128 bytes per entry. Is that something we want, and is it
really worth it?
> I was wondering if it is time to drop or deprecate MD5 from the apt
> metadata and replace it with SHA512 and or SHA-3. Thoughts?
Adding stronger hashes support seems in general like a good idea, but
I've never quite understood the urge to remove weaker ones in case
these get accumulated instead of replaced, as more hashes should also
in general imply a harder time coming up with data that will produce
all the same hashes.
In any case, removing md5 support seems like a bad idea to me right
now, as older software might not have been adapted to check the other
hashes, or would imply breaking the current .dsc and ,changes formats,
as the Files field uses md5.
It might be good to create a similar wiki page (to DebSupport) with
the repository format support, so that we can get a better idea of the
current status of the software around.
> If so, here is the list of software that probably needs updating:
I've got a local patch to add sha512 support to dpkg-dev, which I
could commit for 1.17.x, if there's no opposition to this proposal.