[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

* Paul Wise <pabs@debian.org> [130802 15:54]:
> > In any case, removing md5 support seems like a bad idea to me right
> > now, as older software might not have been adapted to check the other
> > hashes, or would imply breaking the current .dsc and ,changes formats,
> > as the Files field uses md5.
> We've had SHA1 since before snapshot.d.o data started (2005), I would
> guess any relevant software would have been updated in the last 8
> years.

In 2008 ubuntu had Sha256Sums wrong which showed that back then almost
not software even bothered to check those fields:

non-md5sum hashses in Sources generated by DAK were incomplete until
the generation code moved away from apt-ftparchive (early 2011 I think),
thus only the Files: part with md5sums was the only reliable way to get
the list of all files belonging to it.

Support for non-md5sum hashes was added to dpkg-scansources/apt-ftparchive
with apt ( released to unstable 2010-02-01, first released with

So it is not some 8 years. It is more "since squeeze" that Debian and
some of the common tools even produce complete non-md5sum hashes in
Sources indices.

reprepro for example only tries to support source indices without
"Files" (i.e.  md5sum hashes) since 4.12.0 (i.e. since wheezy).

        Bernhard R. Link

Reply to: